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Preface 


Using the Oualys Gloud Platform API (VM, PC), third parties can integrate their own 
applications with Oualys cloud security and compliance solutions using an extensible 
XML interface. The APIs and related XML output and DTDs described in this guide are 
available to customers using the Qualys API. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a 
founding member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com. 


Contact Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access support information at www.qualys.com/support/. 
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Chapter 1 - Introduction 


The Qualys Cloud Platform API (VM, PC) allows third parties to integrate their own 
applications with Oualys Vulnerability Management and Policy Compliance solutions 
using an extensible XML interface. This document provides a reference to XML output and 
DTDs related to the Oualys API. 


Helpful resources 

Looking for API documentation? 

Visit our Documentation page at 
https://www.gualys.com/documentation/ 


Get API Notifications 


We recommend you join our Community and subscribe to our API Notifications RSS Feeds 
for announcements and discussions. 


From our Community 
Join our Community 


API Notifications RSS Feeds 


URL to Qualys API Server 


The Qualys API URL you should use for API requests depends on the Qualys platform 
where your account is located. 


Click here to identify your Qualys platform and get the API URL 


This documentation uses the API server URL for Qualys US Platform 1 
(https://qualysapi.qualys.com) in sample API requests. If you're on another platform, 
please replace this URL with the appropriate server URL for your account. 


Still have questions? You can easily find the API server URL for your account. 


Just log in to your Qualys account and go to Help > About. You'll see this information 
under General Information > Security Operations Center (SOC). 
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Chapter 2 - Scans XML 


This section describes the XML output returned from Scans API reguests. 
Scan List Output 

SCAP Scan List Output 

Scheduled Scan List Output 
Vulnerability Scan Results 
Compliance Scan Results 

VM Recrypt Results (Scan Statistics) 
Scan Summary Output 

Scanner List Output 

PCI Scan Share Status Output 
KnowledgeBase Output 

Customized Vulnerability List Output 
Map Report - Version 2 

Map Report - Single Domain 


Map Report List Output 
EC2 Instance ID Scan Launch Output 
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Scan List Output 
API used 


<platform API server>/api/2.0/fo/scan/?action=list 


DTD for Scan List Output 
<platform API server>/api/2.0/fo/scan/scan_list_output.dtd 
A recent DTD is shown below. 


<!-- QUALYS SCAN LIST OUTPUT DTD --> 


<!ELEMENT SCAN LIST OUTPUT (REQUEST?, RESPONSE) > 
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<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 


POST DATA?) > 
<!ELEMENT DATETIME (#PCDATA) > 
<!ELEMENT USER LOGIN (#PCDATA) > 
<!ELEMENT RESOURCE (#PCDATA) > 
<!ELEMENT PARAM LIST (PARAM+) > 
<!ELEMENT PARAM (KEY, VALUE) > 
<!ELEMENT KEY (#PCDATA) > 
<!ELEMENT VALUE (#PCDATA) > 
<!-- if returned, POST DATA will be urlencoded --> 
<!ELEME POST DATA (#PCDATA) > 


A 


<!ELEMENT RESPONSE (DATETIME, SCAN LIST?)> 
<!ELEMENT SCAN LIST (SCAN+) > 
<!ELEMENT SCAN (ID?, REF, SCAN TYPE?, TYPE, TITLE, USER 


LOGIN, 


LAUNCH DATETIME, DURATION, PROCESSING PRIORI 
PROCESSED, STATUS?, TARGET, ASSET GROUP TIT 
OPTION PROFILE?) > 
MENT ID (#PCDATA)> 
MENT REF (#PCDATA) > 
<!ELEMENT SCAN TYPE (#PCDATA) > 
M 
M 


ENT TYPE (#PCDATA) > 


ENT TITLE (#PCDATA) > 
<!ELEMENT CLIENT (ID, NAME) > 
<!ELEMENT LAUNCH DATETIME (#PCDATA) > 
<!ELEMENT DURATION (#PCDATA) > 
<!ELEMENT PROCESSING PRIORITY (#PCDATA) > 
<!ELEMENT PROCESSED (#PCDATA) > 
<!ELEMENT STATUS (STATE, SUB STATE?) > 
MENT STATE (#PCDATA) > 
MENT SUB STATE (#PCDATA) > 
MENT TARGET (#PCDATA) > 
<!ELEMENT ASSET GROUP TITLE LIST (ASSET GROUP TITLE+) > 

M 
M 
M 


ENT ASSET GROUP TITLE (#PCDATA) > 
ENT OPTION PROFILE (TITLE, DEFAULT FLAG?) > 
ENT DEFAULT FLAG (#PCDATA) > 

EOF --> 


T 


TY?, 
E LIST?, 
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XPaths for Scan List Output 


XPath element specifications / notes 
/SCAN LIST OUTPUT (REOUEST?, RESPONSE) 


/SCAN LIST. OUTPUT/REOUEST 


(DATETIME, USER. LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 
/SCAN LIST. OUTPUT/REOUEST/DATETIME — (4PCDATA) 


The date and time of the request. 
/SCAN LIST. OUTPUT/REOUEST/USER LOGIN (#PCDATA) 


The user login ID of the user who made the request. 


/SCAN_LIST_OUTPUT/REQUEST/RESOURCE  (#PCDATA) 


The resource specified for the request. 
/SCAN_LIST_OUTPUT/REQUEST/PARAM_LIST (PARAM+) 
/SCAN_LIST_OUTPUT/REQUEST/PARAM_LIST/PARAM (KEY, VALUE) 


/SCAN_LIST_OUTPUT/REQUEST/PARAM_LIST/PARAM/KEY  (#PCDATA) 


The input parameter name. 
/SCAN LIST. OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE  (#PCDATA) 


The input parameter value. 
/SCAN LIST OUTPUT/REOCUEST/POST DATA  (#PCDATA) 
he POST data, if any. 


/SCAN LIST. OUTPUT/RESPONSE 

(DATETIME, SCAN LIST?) 
ESPONSE/SCAN LIST (SCAN+) 
ESPONSE/SCAN. LIST/SCAN 


(ID?, REF, SCAN_TYPE?, TYPE, TITLE, USER. LOGIN, LAUNCH_DATETIME, 
DURATION, PROCESSING PRIORITY?, PROCESSED, STATUS?, TARGET, 
ASSET. GROUP TITLE. LIST?, OPTION. PROFILE?) 


/SCAN LIST OUTPUT/RESPONSE/SCAN LIST/SCAN/ID  (#PCDATA) 


as) 


/SCAN LIST. OUTPUT/ 


/SCAN LIST. OUTPUT/ 


lg) 


[he scan ID. 
/SCAN LIST. OUTPUT/RESPONSE/SCAN. LIST/SCAN/REE (#PCDATA) 


The scan reference code. 
/SCAN_LIST_OUTPUT/RESPONSE/SCAN_LIST/SCAN/SCAN_TYPE (#PCDATA) 


For a CertView VM scan this is set to “CertView”. 
/SCAN_LIST_OUTPUT/RESPONSE/SCAN_LIST/SCAN/TY PE (#PCDATA) 


The scan type: On-Demand, Scheduled or API. 
/SCAN LIST. OUTPUT/RESPONSE/SCAN LIST/SCAN/TITLE  (#PCDATA) 


The scan title. 
/SCAN_LIST_OUTPUT/RESPONSE/SCAN_LIST/SCAN/CLIENT 


(ID,NAME) 
/SCAN. LIST. OUTPUT/RESPONSE/SCAN. LIST/SCAN/CLIENT/ID (#PCDATA) 


Id assigned to the client. (only for Consultant type subscriptions) 


10 


Gualys API (VM, PC) XML/DTD Reference 


Chapter 2 - Scans XML 


XPath element specifications / notes 
/SCAN LIST. OUTPUT/RESPONSE/SCAN LIST/SCAN/CLIENT /NAME (#PCDATA) 
Name of the client. (only for Consultant type subscriptions) 
/SCAN LIST OUTPUT/RESPONSE/SCAN LIST/SCAN/USER LOGIN  (*PCDATA) 
The user login ID of the user who launched the scan. 
/SCAN LIST. OUTPUT/RESPONSE/SCAN LIST/SCAN/LAUNCH DATETIME (#PCDATA) 
The date and time when the scan was launched. 
/SCAN LIST. OUTPUT/RESPONSE/SCAN LIST/SCAN/DURATION — (#PCDATA) 
The time it took to perform the scan - when the scan status is Finished. For 
a scan that has not finished (queued, running), the duration is set to 
“Pending”. 
/SCAN_LIST_OUTPUT/RESPONSE/SCAN_LIST/SCAN/PROCESSING_PRIORITY (#PCDATA) 
(Applicable for VM scans only) The processing priority setting for the scan. 
/SCAN_LIST_OUTPUT/RESPONSE/SCAN_LIST/SCAN/PROCESSED  (#PCDATA) 
A flag that specifies whether the scan results have been processed. A value 
of 1 is returned when the scan results have been processed. A value of 0 is 
eturned when the results have not been processed. 
/SCAN_LIST_OUTPUT/RESPONSE/SCAN_LIST/SCAN/STATUS 
STATE, SUB-STATE? 
/SCAN_LIST_OUTPUT/RESPONSE/SCAN_LIST/SCAN/STATUS/STATE — (#PCDATA) 


The scan state: Running, Paused, Canceled, Finished, Error, Queued (scan 
job is waiting to be distributed to scanner(s)), 
finished and scan results are being loaded onto the platform). 


or Loading (scanner(s) are 


/SCAN_LIST_OUTPUT/RESPONSE/SCAN_LIST/SCAN/STATUS/SUB_STATE — (#PCDATA) 


The sub-state related to the scan state, if any. For scan state Finished, value 
can be: No_Vuln (no vulnerabilities found) or No_Host (no host alive). For 
scan state Queued, value can be: Launching (service received scan request), 
Pausing (service received pause scan request), or Resuming (service 


received resume scan request). 


/SCAN LIST. OUTPUT/RESPONSE/SCAN LIST/SCAN/TARGET  (#PCDATA) 

The scan target hosts. This element does not appear when API reguest 

includes ignore target=1. 

/SCAN LIST OUTPUT/RESPONSE/SCAN LIST/SCAN/ASSET. GROUP TITLE LIS (ASSET. GROUP TITLE+) 
/SCAN LIST. OUTPUT/RESPONSE/SCAN LIST/SCAN/ASSET. GROUP TITLE LIST/ASSET. GROUP TITLE 

(#PCDATA) 

The asset group title specified for the scan. 
/SCAN_LIST_OUTPUT/RESPONSE/SCAN_LIST/SCAN/OPTION_PROFILE (TITLE, DEFAULT_FLAG?) 
/SCAN_LIST_OUTPUT/RESPONSE/SCAN_LIST/SCAN/OPTION_PROFILE/TITLE (#PCDATA) 

The option profile title specified for the scan. 
/SCAN_LIST_OUTPUT/RESPONSE/SCAN_LIST/SCAN/OPTION_PROFILE/DEFAULT_FLAG (#PCDATA) 


A flag that specifies whether the option profile was defined as the default 
option profile in the user account. A value of 1 is returned when this option 
profile is the default. A value of 0 is returned when this option profile is not 


the default. 
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SCAP Scan List Output 
API used 


<platform API server>/api/2.0/fo/scan/scap/?action=list 


DTD for SCAP Scan List Output 
<platform API server>/api/2.0/fo/scan/qscap_scan_list_output.dtd 
A recent DTD is shown below. 


<!-- QUALYS QSCAP SCAN LIST OUTPUT DTD --> 


<!ELEMENT SCAN LIST OUTPUT (REQUEST?, RESPONSE) > 


<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 

<!ELEMENT DATETIME (#PCDATA) > 
<!ELEMENT USER LOGIN (#PCDATA) > 
<!ELEMENT RESOURCE (#PCDATA)> 
<!ELEMENT PARAM LIST (PARAM+) > 
<!ELEMENT PARAM (KEY, VALUE) > 
<!ELEMENT KEY (#PCDATA) > 

<! ELEM 


ENT VALUE (#PCDATA) > 
<!-- if returned, POST DATA will be urlencoded --> 
<!ELEME POST DATA (#PCDATA) > 

<!ELEMENT RESPONSE (DATETIME, SCAN LIST?)> 
<!ELEMENT SCAN LIST (SCAN+) > 
<!ELEMENT SCAN (1D?, REF, TYPE, TITLE, POLICY, USER LOGIN, 

LAUNCH DATETIME, STATUS?, TARGET, ASSET GROUP TITLE LIST?, 
OPTION PROFILE?) > 

<!ELEMENT ID (#PCDATA) > 

<!ELEMENT REF (#PCDATA) > 
<!ELEMENT TYPE (#PCDATA) > 
<!ELEMENT TITLE (#PCDATA) > 
<!ELEMENT POLICY (ID, TITLE)> 
<!ELEMENT »AUNCH DATETIME (#PCDATA 
<!ELEMENT STATUS (STATE, SUB_ STATE 
<!ELEMENT STATE (#PCDATA) > 
<!ELEMENT SUB STATE (#PCDATA) > 
<!ELEMENT TARGET (#PCDATA) > 
<!ELEMENT ASSET GROUP TITLE LIST (ASSET GROUP TITLE+) > 
<!ELEMENT ASSET GROUP TITLE (#PCDATA) > 
<!ELEMENT OPTION PROFIL (TITLE, DEFAULT FLAG?) > 
<!ELEMENT DEFAULT FLAG (#PCDATA) > 


A 


T 


T 
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XPaths for SCAP Scan List Output 


XPath element specifications / notes 
/SCAN LIST OUTPUT (REOUEST?, RESPONSE) 


/SCAN LIST. OUTPUT/REOUEST 


(DATETIME, USER. LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 
/SCAN LIST. OUTPUT/REOUEST/DATETIME — (4PCDATA) 


The date and time of the request. 


/SCAN LIST. OUTPUT/REOUEST/USER LOGIN (#PCDATA) 


The user login ID of the user who made the request. 
/SCAN_LIST_OUTPUT/REQUEST/RESOURCE — (*PCDATA) 


The resource specified for the request. 
/SCAN LIST. OUTPUT/REOUEST/PARAM. LIST (PARAM+) 
/SCAN LIST. OUTPUT/REOUEST/PARAM LIST/PARAM (KEY, VALUE) 
/SCAN LIST. OUTPUT/REOUEST/PARAM LIST/PARAM/KEY  (#PCDATA) 
The input parameter name. 
/SCAN LIST. OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE (#PCDATA) 
The input parameter value. 
/SCAN LIST OUTPUT/REOUEST/POST DATA (#PCDATA) 

he POST data, if any. 
/SCAN LIST OUTPUT/RESPONSE (DATETIME, SCAN LIST?) 
/SCAN LIST. OUTPUT/RESPONSE/SCAN LIST (SCAN+) 
[SCAN LIST. OUTPUT/RESPONSE/SCAN LIST/SCA 


(ID?, REF, TYPE, TITLE, USER LOGIN, LAUNCH_DATETIME, STATUS?, 
TARGET, ASSET. GROUP TITLE LIST?, OPTION PROFILE? 


/SCAN LIST. OUTPUT/RESPONSE/SCAN. LIST/SCAN/ID (#PCDATA) 
The SCAP scan ID. 
/SCAN LIST. OUTPUT/RESPONSE/SCAN. LIST/SCAN/REE (#PCDATA) 


The SCAP scan reference code. 
/SCAN_LIST_OUTPUT/RESPONSE/SCAN_LIST/SCAN/TYPE (#PCDATA) 


The scan type: On-Demand, Scheduled or API. 
/SCAN_LIST_OUTPUT/RESPONSE/SCAN_LIST/SCAN/TITLE | (#PCDATA) 


The SCAP scan title. 
/SCAN_LIST_OUTPUT/RESPONSE/SCAN_LIST/SCAN/POLICY (ID, TONLE) 


/SCAN_LIST_OUTPUT/RESPONSE/SCAN_LIST/SCAN/POLICY/ID (4PCDATA) 
The SCAP policy ID. 
/SCAN_LIST_OUTPUT/RESPONSE/SCAN_LIST/SCAN/POLICY/TITLE — (#PCDATA) 

The SCAP policy tit 
/SCAN LIST. OUTPUT/RESPONSE/SCAN LIST/SCAN/USER LOGIN  (*PCDATA) 


e; 


The user login ID of the user who launched the SCAP scan. 
/SCAN_LIST_OUTPUT/RESPONSE/SCAN_LIST/SCAN/LAUNCH_DATETIME | (#PCDATA) 


The date and time when the SCAP scan was launched. 
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element specifications / notes 


/SCAN_LIS 


OW) 


PUT/RESPONSE/SCAN_LIST/SCAN/STATUS 
(STATE, SUB-STATE? 


/SCAN_LIS 


- OU 


PUT/RESPONSE/SCAN LIST/SCAN/STATUS/STATE  (#PCDATA) 


The scan state: Running, Paused, Canceled, Finished, Error, Oueued (scan 
job is waiting to be distributed to scanner(s)), or Loading (scanner(s) are 
finished and scan results are being loaded onto the platform). 


/SCAN LIST OUTPUT/RESPONSE/SCAN LIST/SCAN/STATUS/SUB STATE — (4PCDATA) 


The sub-state related to the scan state, if any. For scan state Finished, value 
can be: No. Vuln (no vulnerabilities found) or No Host (no host alive). For 
scan state Oueued, value can be: Launching (service received scan reguest), 
Pausing (service received pause scan reguest), or Resuming (service 
received resume scan reguest). 


/SCAN_LIS 


ZOU) 


PUT/RESPONSE/SCAN_LIST/SCAN/TARGET  (*PCDATA) 
The target hosts selected for the SCAP scan. 


/SCAN_LIS 


OW 


PUT/RESPONSE/SCAN_LIST/SCAN/ASSET_GROUP_TITLE_LIS (ASSET_GROUP_TITLE+) 


/SCAN_LIS 


OW) 


PUT/RESPONSE/SCAN_LIST/SCAN/ASSET_GROUP_TITLE_LIST/ASSET_GROUP_TITLE 
(#PCDATA) 
The asset group title selected for the SCAP scan. 


/SCAN_LIS 


ZO) 


PUT/RESPONSE/SCAN_LIST/SCAN/OPTION_PROFILE (TITLE, DEFAULT_FLAG?) 


/SCAN_LIS 


(9) 


PUT/RESPONSE/SCAN LIST/SCAN/OPTION PROFILE/TITLE (#PCDATA) 
The option profile title seleted for the SCAP scan. 


/SCAN_LIS 


- OU 


PUT/RESPONSE/SCAN LIST/SCAN/OPTION PROFILE/DEFAULT FLAG (#PCDATA) 


A flagthat specifies whether the option profile was defined as the default 

option profile in the user account. A value of 1 is returned when this option 
profile is the default. A value of 0 is returned when this option profile is not 
the default. 
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Scheduled Scan List Output 
API used 


<platform API server>/api/2.0/fo/schedule/scan/?action=list 


DTD for Scheduled Scan List Output 
<platform API server>/api/2.0/fo/schedule/scan/schedule_scan_list_output.dtd 


A recent DTD is shown below. 


<!-- QUALYS SCHEDULE SCAN LIST OUTPUT DTD --> 


<!ELEMENT SCHEDULE SCAN LIST OUTPUT (REQUEST?, RESPONSE) > 


<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 


<!ELEMENT DATETIME (#PCDATA) > 
<!ELEMENT USER LOGIN (#PCDATA) > 
! E SOURCE (#PCDATA) > 
<!ELEMENT PARA | LIST (PARAM+) > 
<!ELEMENT PARA (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 

<!ELEMENT VALUE (#PCDATA) > 

<!-- if returned, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 


A 
A 
ps) 


<!ELEMENT RESPONSE (DATETIME, SCHEDULE SCAN LIST?)> 
<!ELEMENT SCHEDULE SCAN LIST (SCAN+) > 
<!ELEMENT SCAN (ID, SCAN TYPE?, ACTIVE, TITLE?, USER LOGIN, TARGET, 
NETWORK ID?, ISCANNER NAME?, EC2 INSTANCE?, CLOUD DETAILS?, 
ASSET GROUP TITLE LIST?, ASSET TAGS?, EXCLUDE IP PER SCAN?, 
USER ENTERED IPS?, ELB DNS, OPTION PROFILE?, PROCESSING PRIORITY?, 
NOTIFICATIONS?) > 
<!ELEMENT ID (#PCDATA) > 
A (# PCDATA) > 
<!ELEMENT TITLE (#PCDATA) > 
(I 
( 


D, NAME) > 

i PCDATA) > 

<!ELEMENT NETWORK ID (#PCDATA) > 

<!ELEMENT ISCANNER NAME (#PCDATA) > 

<!ELEMENT EC2 INSTANCE (CONNECTOR UUID, EC2 ENDPOINT, EC2 ONLY CLASSIC?)> 
<!ELEMENT CONNECTOR UUID (#PCDATA) > 

<!ELEMENT EC2 ENDPOINT (#PCDATA) > 

<!ELEMENT EC2 ONLY CLASSIC (#PCDATA) > 


El 


, CLOUD TARGI 


t 
E 
V 


<!ELEMENT CLOUD DETAILS (PROVIDER, CONNECTOR, SCAN TYP! 
ER (#PCDATA) > 
ONNECTOR (ID?, UUID, NAME) > 
(# PCDATA) > 
(# PCDATA) > 
CAN TYPE (#PCDATA) > 
„OUD TARGET (PLATFORM, REGION?, VPC SCOPE, VPC LIST?)> 
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ATFORM ( 
EGION (UU 
ODE 
PC SCOPE 
PC LIST 
PC (UUI 


D) 


ENT 
ENT 
ENT 


ASSET_GROU 
ET GROU 
T TAGS 
ECTOR 
RANGE TAGS 


#PCDATA) > 
ID, CODE?, 


NAM 


(+ PCDATA) > 


(#PCDATA) > 


(VPC+) > 


> 


P TITLE 
P TITL 
(TAG 


IST 
PCDATA) > 
EL 


(ASSET GRO 


ECTOR, 
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E+) > 


INCLU 


?, TAG UDE 


2 
or 


US 


INCLU P N 


TAG SET. 
E IP NT RANG 


T RANGE TAGS 


EXCL 


ECTOR ( 


INC 


UDE 


DE ( 


ECTOR ( 


E (#PCDATA 


TAGS ( 
TAGS INCLUDE 


E TAGS EXCLUDE 


SCAN (+ PCDATA 


ED IPS (RANGE+)> 


DEFAULT 


DULE ( 


FLAG 
PROCESSING 


(TITLE, 


D 


DATA) > 


DATA) > 


DATA) > 


(#PCDATA) > 
(#PCDATA) > 
)> 


EFAULT FLAG?) > 


(# PCDATA) > 


PRIORITY (#PCDATA 


(DAILY | WEEKLY | 


ONT 


UTE, END AF 


)> 


HLY), 


TER_HOURS?, END 


AFT 


ER_MINUTES?, 


ER MINUTES? 


, RESUME IN DAYS?, 


RESUM 


ZONE, DST SELEC 
EM DAILY EMPT 
<!ATTLIST DAILY 

frequency day 


<!-- weekdays is comma-separated lis 


<!ELEMENT WEEKLY 
<!ATTLIST WEEKLY 
frequency wee 
weekdays 


EMP 


<!-- either day of m 
provided --> 
<!ELEMENT MONTHLY 
<!ATTLIST MONTHLY 
frequency mon 
day of mont 
day of week 
week of mon 


EM 


n 


th 


CDATA #R 


E?) > 


TED, MAX OCCURRENC 
Y> 


CDATA #R 


s EOUIR 


TY> 


ks CDATA #R 


EOUIRE 


EOUIR 
D> 


onth, or 


PTY> 


ED> 


t of weekdays e.g. 


(day of week and week of month) 


ths CDATA #REQUIR 


ED 


CDATA IMPLIED 
(0111213141516) 
(112131415) 


+ 
+ IM 
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IMP 
PLII 


START DATE UTC, 


E IN HOURS?, N 


E, 


START_HOUR, 
E AFTER HOURS?, 
EXTLAUNCH UTC?, 


PAUS 


0,1,4,5 --> 


must be 
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<!-- start date of the task in UTC --> 

<!ELEMENT START DATE UTC (#PCDATA) > 

<!-- User Selected hour --> 

<!ELEMENT START HOUR (#PCDATA) > 

<!-- User Selected Minute --> 

<!ELEMENT START MINUTE (#PCDATA) > 

<!ELEMENT END AFTER HOURS (#PCDATA) > 

<!ELEMENT END AFTER MINUTES (#PCDATA) > 

<!ELEMENT PAUSE AFTER HOURS (#PCDATA) > 

<!ELEMENT PAUSE AFTER MINUTES PCDATA) > 
! RESUME IN DAYS (A PCDATA) > 

<!ELEMENT RESU E IN HOURS (#PCDATA) > 

NEXTLAUNCH UTC (#PCDATA) > 
<!ELEMENT TIME ZONE (TI E ZONE CODE, TIME ZONE 


iw) 


ETAILS) > 


<!-- timezone code like US-CA --> 
<!ELEMENT TIME ZONE CODE (#PCDATA) > 


<!-- timezone details like (GMT-0800) United States (California): Los 
Angeles, Sacramento, San Diego, San Francisco--> 
<!ELEMENT TIME ZONE DETAILS (#PCDATA) > 


<!-- Did user select DST? O-not selected 1-selected --> 
<!ELEMENT DST SELECTED (#PCDATA) > 
<!ELEMENT [AX OCCURRENCE (#PCDATA) > 


T 


<!-- notifications --> 
<!ELEMENT NOTIFICATIONS (BEFORE LAUNCH?, AFTER COMPLETE? LAUNCH DELAY?, 
LAUNCH SKIP?, DEACTIVATE SCHEDULE?, DISTRIBUTION GROUPS?) > 

<!ELEMENT BEFORE LAUNCH (TIME, UNIT, MESSAGE) > 

<!ELEMENT TIME (#PCDATA) > 

<!ELEMENT UNIT (#PCDATA) > 

<!ELEMENT MESSAGE (#PCDATA) > 


<!ELEMENT AFTER COMPLETE (MESSAGE) > 
<!ELEMENT LAUNCH DELAY (MESSAGE) > 
<!ELEMENT LAUNCH SKIP (MESSAGE) > 
<!ELEMENT DEACTIVATE SCHEDULE (MESSAGE) > 
<!ELEMENT DISTRIBUTION GROUPS (DISTRIBUTION GROUP+) > 
<!ELEMENT DISTRIBUTION GROUP (ID, TITLE) > 


XPaths for Scheduled Scan List Output 


XPath element specifications / notes 
/SCHEDULE SCAN LIST OUTPUT (REQUEST?, RESPONSE) 
[SCHEDULE SCAN LIST OUTPUT/REOUEST 


(DATETIME, USER. LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 


/SCHEDULE SCAN LIST OUTPUT/REOUEST/DATETIME — (*PCDATA) 
The date and time of the request. 
/SCHEDULE SCAN LIST OUTPUT/REOUEST/USER LOGIN (#PCDATA) 
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XPath element specifications / notes 
The user login ID of the user who made the reguest. 
/SCHEDULE SCAN LIST OUTPUT/REOUEST/RESOURCE  (#PCDATA) 
The resource specified for the reguest. 
/SCHEDULE SCAN LIST OUTPUT/REOUEST/PARAM LIST (PARAM+) 
/SCHEDULE SCAN LIST OUTPUT/REOUEST/PARAM LIST/PARAM (KEY, VALUE) 
/SCHEDULE SCAN LIST OUTPUT/REOUEST/PARAM LIST/PARAM/KEY (#PCDATA) 
The input parameter name. 
/SCHEDULE_SCAN_LIST_OUTPUT/REQUEST/PARAM_LIST/PARAM/VALUE  (#PCDATA) 
The input parameter value. 
/SCHEDULE SCAN LIST OUTPUT/REOUEST/POST DATA  (#PCDATA) 
The POST data, if any. 
/SCHEDULE. SCAN. LIST. OUTPUT/RESPONSE 
(DATETIME, SCHEDULE. SCAN LIST?) 
/SCHEDULE SCAN LIST OUTPUT/RESPONSE/SCHEDULE SCAN LIST (SCAN+) 
/SCHEDULE SCAN LIST OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN 
(ID, SCAN_TYPE?, ACTIVE, TITLE?, USER LOGIN, TARGET, NETWORK ID?, 
ISCANNER_NAME?, EC2 INSTANCE?, CLOUD DETAILS?, 
ASSET. GROUP TITLE LIST?, ASSET_TAGS?, EXCLUDE IP PER SCAN?, 
USER ENTERED IPS?, ELB DNS?, OPTION PROFILE?, 
PROCESSING. PRIORITY?, SCHEDULE, NOTIFICATIONS?) 
/SCHEDULE. SCAN LIST OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/ID — (*PCDATA) 
The scan ID. 
/SCHEDULE SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/ACTIVE (#PCDATA) 
for an active schedule, or 0 for a deactivated schedule. 
/SCHEDULE SCAN LIST OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/TITLE | (#PCDATA) 
The scan title. 
/SCAN LIST. OUTPUT/RESPONSE/SCAN LIST/SCAN/CLIENT 
(ID, NAME) 
/SCAN LIST. OUTPUT/RESPONSE/SCAN. LIST/SCAN/CLIENT/ID (#PCDATA) 
Id assigned to the client. (only for Consultant type subscriptions) 
/SCAN LIST. OUTPUT/RESPONSE/SCAN LIST/SCAN/CLIENT /NAME (#PCDATA) 
Name of the client. (only for Consultant type subscriptions) 
/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/USER_LOGIN  (*PCDATA) 
The user login ID for the user who owns the scan schedule. 
/SCHEDULE SCAN LIST OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/TARGET  (#PCDATA) 
The target hosts for the scan. 
/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/NETWORK ID (#PCDATA) 
The network ID for the target hosts, if custom networks are defined. 
/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/ 
ISCANNER NAME (#PCDATA) 


The name of the scanner 


appliance used for the scan. 
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XPath element specifications / notes 
/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE. SCAN LIST/SCAN/EC2. INSTANCE 

(CONNECTOR_UUID, EC2 ENDPOINT, EC2 ONLY. CLASSIC?) 
/SCHEDULE SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/EC2. INSTANCE/ 
CONNECTOR UUID (4PCDATA) 

The connector uuid for the AWS integration used for the EC2 scan. 
/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/EC2. INSTANCE/ 

EC2 ENDPOINT (#PCDATA 

The EC2 region code, or the ID of the Virtual Private Cloud (VPC) zone. 
/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/EC2_INSTANCE/ 
EC2_ONLY_CLASSIC (#PCDATA) 

means the EC2 scan is configured to scan EC2 classic hosts in the region. 
/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/SCAN_TYPE (#PCDATA) 

For a CertView VM scan this is set to “CertView”. 
/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/CLOUD_DETAILS (PROVIDER, 
CONNECTOR, SCAN_TYPE, CLOUD_TARGET 
/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/CLOUD_DETAILS/ 
PROVIDER (#PCDATA 
/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/CLOUD_DETAILS/ 
CONNECTOR (ID?, UUID, NAME) 

Qualys connector ID used for scheduled scan. 
/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/CLOUD_DETAILS/ 
CONNECTOR/ID (#PCDATA) 

Qualys connector ID. 
/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/CLOUD_DETAILS/ 
CONNECTOR/UUID (#PCDATA) 

Qualys connector UUID. 
/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/CLOUD_DETAILS/ 
CONNECTOR/NAME (#PCDATA) 

Qualys connector user defined name. 
/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/CLOUD_DETAILS/ 

SCAN TYPE (#PCDATA) 

Set to “Internal” for an internal scan. 

/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/CLOUD. DETAILS/ 
CLOUD TARGET (PLATFORM, REGION?, VPC_SCOPE, VPC. LIST?) 

The element CLOUD. TARGET under CLOUD. DETAILS is optional as it only 

applies to AWS EC2 scans and does not apply to Azure scans. 
/SCHEDULE SCAN LIST OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/CLOUD. DETAILS/ 
CLOUD TARGET/PLATFORM (4PCDATA) 

The target cloud portal platform. For example AWS for Amazon Web 

Services. 
/SCHEDULE SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/CLOUD. DETAILS/ 
CLOUD TARGET/REGION (UUID, CODE?, NAME?) 
/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/CLOUD. DETAILS/ 
CLOUD TARGET/REGION/UUID (#PCDATA) 

The target cloud portal region UUID. 
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XPath element specifications / notes 
/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/CLOUD. DETAILS/ 
CLOUD TARGET/REGION/CODE (4PCDATA) 

The target cloud portal region code. 


ESPONSE/SCHEDULE SCAN LIST/SCAN/CLOUD. DETAILS/ 


The target cloud portal region name. 
ESPONSE/SCHEDULE SCAN LIST/SCAN/CLOUD. DETAILS/ 


The target cloud portal VPC scope: All, Selected or None. 
RESPONSE/SCHEDULE_SCAN_LIST/SCAN/CLOUD_DETAILS/ 


/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/CLOUD_DETAILS/ 


The VPC ID in the target portal VPC list. 
LE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/ASSET_GROUP_TITLE_LIS 


/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/ASSET_GROUP_TITLE_LIST/ASSET 


The asset group title specified for the scan. 
/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/ASSET_TAGS 


TAG_INCLUDE_SELECTOR, TAG_SET_INCLUDE, 
TAG_EXCLUDE_SELECTOR?, TAG_SET_EXCLUDE?, 

USE IP NT RANGE TAGS, USE IP NT RANGE TAGS INCLUDE, 
USE IP NT RANGE. TAGS EXCLUDE?) 


/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/ASSET. TAGS/ 
TAG INCLUDE SELECTOR (#PCDATA) 


nclude any of the s 
 SCAN LIST. OUTPUT/RESPONSE/SCHEDULE. SCAN LIST/SCAN/ASSET. TAGS/ 


ected tags (any) or all of the selected tags (all). 


O 


/SCHEDULE LIST. 

TAG SET INCLUDE (#PCDATA) 
Tag set to include from the scan target. 
/RESPONSE/SCHEDULE. SCAN LIST/SCAN/ASSET. TAGS/ 


/SCHEDULE. SCA 


lid 
t 
un 
| 
O 
E 
Ino] 
= 


TAG EXCLUDE SELECTOR (#PCDATA) 

Exclude any of the selected tags (any) or all of the selected tags (all). 
/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE. SCAN LIST/SCAN/ASSET. TAGS/ 
TAG SET EXCLUDE (4PCDATA) 


Tag set to exclude from the scan target. 


/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE. SCAN LIST/SCAN/ASSET. TAGS/ 


U 
USE IP NT RANGE TAGS INCLUDE (#PCDATA) 


O means select from all tags (tags with any tag rule). 1 means scan all IP 
addresses defined in tags with the rule “IP address in Network Range(s)”. 


/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/ASSET. TAGS/ 
USE IP NT RANGE TAGS EXCLUDE (#PCDATA) 


O means select from all tags (tags with any tag rule). 1 means exclude all IP 
addresses defined in tags with the rule “IP address in Network Range(s)”. 
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XPath element specifications / notes 


/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/ASSET. TAGS/ 
USE IP NT RANGE TAGS (#PCDATA) 


O means select from all tags (tags with any tag rule). 1 means scan all IP 
addresses defined in tags with the rule “IP address in Network Range(s)”. 
This parameter has been replaced by use ip nt range tags include and 
use ip nt range tags exclude parameters. 

The use ip nt range tag parameteris still supported. 


/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE. SCAN LIST/SCAN/EXCLUDE IP PER SCAN 
(4PCDATA) 


When the scan target has excluded hosts, the target hosts that were 


excluded. 
/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE. SCAN LIST/SCAN/ 
USER. ENTERED IPS (RANGE+) 
/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/RANGE (START, END) 
/SCHEDULE SCAN LIST OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/RANGE/START (4PCDATA) 


When the scan target includes user entered IPs, the start of an IP range. 
/RESPONSE/SCHEDULE SCAN LIST/SCAN/RANGE/END (4PCDATA) 
When the scan target includes user entered IPs, the end of an IP range. 
DULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/ 


/SCHEDULE_SCAN_LIST_OUTPU 


/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/ELB_DNS/ DNS (#PCDATA) 


One or more load balancer DNS names to include in the scan job. Multiple 
values are comma separated. 


e 
DULE SCAN LIST. OUTPUT/RESPONSE/SCHEDULE. SCAN LIST/SCAN/OPTION. PROFILE 


/SCHEDULE SCAN LIST OUTPUT/RESPONSE/SCHED 


(E 


LE_SCAN_LIST/SCAN/OPTION_PROFILE/TITLE 


The option profile title specified for the scan. 
/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/OPTION_PROFILE/DEFAULT_FLA 


G 


A flag that specifies whether the option profile was defined as the default 

option profile in the user account. A value of 1 is returned when this option 
profile is the default. A value of 0 is returned when this option profile is not 
the default. 


/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/PROCESSING_PRIORITY 


Applicable for VM scans only) The processing priority setting for the scan. 


( 
/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/SCHEDULE 
((DAILY|WEEKLY|MONTHLY), START. DATE UTC, START. HOUR, START_MINUTE, END AFTER HOURS?, 
END. AFTER. MINUTES?, PAUSE AFTER. HOURS?, PAUSE AFTER MINUTES?, RESUME IN DAYS?, 
RESUME IN HOURS?, NEXTLAUNCH UTC?, TIME ZONE, DST. SELECTED, MAX OCCURRENCE?) 


/SCHEDULE SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/SCHEDULE /DAILY 
f 


requency_days is required for a scan that runs after some number of 
days (from 1 to 365) 


/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/SCHEDULE /WEEKLY 


attribute: freguency days 


attribute: freguency weeks frequency weeks is required for a scan that runs after some number of 
weeks (from 1 to 52) 


21 


Gualys API (VM, PC) XML/DTD Reference 
Chapter 2 - Scans XML 


XPath element specifications / notes 


attribute: weekdays weekdays is required for a scan that runs after some number of weeks on a 
particular weekday (from 0 to 6), where 0 is Sunday and 6 is Saturday, 
multiple weekdays are comma separated 


/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/SCHEDULE /MONTHLY 


attribute: freguency months is required for a scan that runs after some number of 
frequency_months months (from 1 to 12) 
attribute: day_of month day_of monthis implied and, if present, indicates the scan runs on the Nth 


day of the month (from 1 to 31) 


attribute: day_of week day of week is implied and, if present, indicates the scan runs on the Nth 
day of the month on a particular weekday (from 0 to 6), where 0 is 
Sunday and 6 is Saturday 


attribute: week of month week of month is implied and, if present, indicates the scan runs on the 
Nth day of the month on the Nth week of the month (from 1 to 5), 

where 1 is the first week of the month and 5 is the fifth week of the 
month 


/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHED 
E 


G 


LE SCAN LIST/SCAN/SCHEDUL 


m 
Ss 


The start date (in UTC format) defined for the scan schedule. 
CAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/SCHEDULE / 
p 


The start hour defined for the scan schedule. 
/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/SCH 


m 


DULE /START. MINUTE 


The start minute defined for the scan schedule. 
/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE. SCAN LIST/SCAN/SCH 


m 
D, 
G 
E 

mi 
= 


, 


The “end after number of hours” setting defined for the scan schedule. 
/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/SCH LE / 


mi 
UO 
E 


The “end after number of minutes” setting defined for the scan schedule. 
ESPONSE/SCHEDULE SCAN LIST/SCAN/SCHEDULE / 


SS 
Wn 
a) 

m ti 
UO 
G 
t 
“m 
Wn 
(O) 
> 
Z 
t 
Wn 
O 
E 
ag) 
E 
SS 
as) 


The “pause after number of hours” setting defined for the scan schedule. 
ESPONSE/SCHEDULE_SCAN_LIST/SCAN/SCHEDULE / 


mi 


~ 
Wn 
(2) 

m ti 
U 
G 
t 

1 
un 
GI 
> 
Z 
t 
N 
O 
E 
ag) 
G 
ST 
as) 


The “pause after number of minutes” setting defined for the scan schedule. 
RESPONSE/SCHEDULE_SCAN_LIST/SCAN/SCHEDULE / 


mi 
E) 


The “resume in number of days” setting defined for the scan schedule. 
/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/SCH LEM 


tri 
D 
G 


The “resume in number of hours” setting defined for the scan schedule. 
/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/SCHEDULE / 


The next launch date and time for the scan schedule. 


/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/SCHEDUL 
SCHEDULE/TIME ZONE  (TIME_ZONE_CODE, TIME. ZONE DETAILS) 


td 
Ss 
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/SCHEDULE SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/SCHEDULE / 
TIME ZONE/TIME. ZONE CODE (#PCDATA) 


The time zone code defined for the scan schedule. For example: US-CA. 


/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE. SCAN. LIST/SCAN/SCHEDULE / 
TIME. ZONE/TIME. ZONE DETAILS (#PCDATA) 


The time zone details (description) for the local time zone, identified in the 
<TIME ZONE, CODE> element. For example:, (GMT-0800) United States 
(California): Los Angeles, Sacramento, San Diego, San Francisco. 


/SCHEDULE SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN. LIST/SCAN/SCHEDULE / 
DST SELECTED (#PCDATA) 


When set to 1, Daylight Saving Time (DST) is enabled for the scan schedule. 


/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE. SCAN. LIST/SCAN/SCHEDULE / 
MAX OCCURRENCE (4PCDATA) 


The number of times the scan schedule will be run before itis deactivated 
from 1 to 99). 


/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/NOTIFICATIONS 


BEFORE LAUNCH?, AFTER COMPLETE?, LAUNCH DELAY?, 
LAUNCH_SKIP?, DEACTIVATE. SCHEDULE?, DISTRIBUTION. GROUPS?) 


/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/NOTIFICATIONS/ 
BEFORE LAUNCH (TIME, UNIT, MESSAGE 


/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/NOTIFICATIONS/ 
BEFORE LAUNCH/TIME (#PCDATA) 


[The number of days, hours or minutes before the scan starts when the 
notification will be sent. 


/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/NOTIFICATIONS/ 
E 


LAUNCH/UNIT (4PCDATA) 
The time unit (days 


/SCHEDULE SCAN LIST OUTPUT/RESPONSE/SCHED 
E LAUNCH/MESSAGE (#PCDATA) 


hours or minutes) set for the before scan notification. 
LE SCAN LIST/SCAN/NOTIFICATIONS/ 


E 


A user-provided custom message added to the before scan notification. 
DULE SCAN LIST. OUTPUT/RESPONSE/SCHEDULE. SCAN LIST/SCAN/NOTIFICATIONS/ 


A user-provided custom message added to the after scan notification. 
/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/NOTIFICATIONS/ 


A user-provided custom message added to the delay scan notification. 
/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/NOTIFICATIONS/ 


A user-provided custom message added to the skip scan notification. 


/SCHEDULE_SCAN_LIST_OUTPUT/RESPONSE/SCHEDULE_SCAN_LIST/SCAN/NOTIFICATIONS/ 
DEACTIVATE_SCHEDULE (MESSAGE) 


A user-provided custom message added to the deactivate schedule scan 
notification. 
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/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/NOTIFICATIONS/ 

DISTRIBUTION GROUPS (DISTRIBUTION. GROUP+ 

/SCHEDULE. SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/NOTIFICATIONS/ 

DISTRIBUTION. GROUPS/DISTRIBUTION GROUP (ID, TITLE) 
D 


/SCHEDULE SCAN LIST. OUTPUT/RESPONSE/SC ULE SCAN LIST/SCAN/NOTIFICATIONS/ 


DISTRIBUTION. GROUPS/DISTRIBUTION. GROUP/ID (#PCDATA) 
The ID of a distribution group that will receive notifications. 


/SCHEDULE SCAN LIST. OUTPUT/RESPONSE/SCHEDULE SCAN LIST/SCAN/NOTIFICATIONS/DISTRIBUTION 
_GROUPS/DISTRIBUTION_GROUP/TITLE (4PCDATA) 


The title of a distribution group that will receive notifications. 
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Vulnerability Scan Results 


API used 
<platform API server>/api/2.0/fo/scan/?action=fetch 


The vulnerability scan results is returned from the download vulnerability scan results 
API call. Vulnerability scan results can be downloaded in these formats: CSV and JSON 
JavaScript Object Notation). 


mode set to brief or extended - This information is returned: 


Field Description 

IP IP address. 

DNS Name DNS hostname when available. 

Netbios Name NetBIOS hostname when available. 

QID Qualys vulnerability ID (QID). 

Result Scan test result returned by the scanning engine. 


mode set to brief or extended - This information is returned: 


Field Description 

Protocol Protocol used to detect the vulnerability. 

Port Port used to detect the vulnerability. 

SSL A flag indicating whether SSL was used to detect the 


vulnerability: “yes” indicates SSL was used to detect the 
vulnerability, “no” indicates SSL was not used to detect the 
vulnerability. 


FQDN Fully qualified domain name for the host, when defined. 


output_format set to json_extended or csv_extended - This information is returned: 


Scan Summary section includes: company details (name, address), user details (name, 
login, role), scan date, number of active hosts, number of total hosts, scan type (On 
Demand or Scheduled), status, scan reference, scanner appliance, scan duration, scan 
title, asset groups, IPs, excluded IPs, and the option profile used. 


Scan Results section includes: operating system, IP status, vulnerability title, type, 
severity, port, protocol, FQDN, SSL, CVE ID, vendor reference, Bugtraq ID, CVSS scores, 
threat, impact, solution, exploitability, associated malware, PCI vuln flag, OS CPE and 
category. 
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Compliance Scan Results 


API used 


<platform API server>/api/2.0/fo/scan/compliance/?action=fetch 


DTD for Compliance Scan Result Output 
<platform API server>/api/2.0/fo/scan/compliance/compliance scan result output.dtd 


A recent DTD is below. 


<!ELEMENT COMPLIANCE SCAN RESULT OUTPUT (REOUEST?,RESPONSE) > 


<!ELEMENT REOUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 


<!ELEMENT DATETIME (#PCDATA) > 

<!ELEMENT USER LOGIN (#PCDATA) > 

<!ELEMENT RESOURCE (#PCDATA) > 

<!ELEMENT PARAM LIST (PARAM+) > 
N 


P 
<! ELEME PARAM (KEY, VALUE)> 
<!ELEMENT KEY (#PCDATA)> 
K 
Cc 


EY 
E 


value CDATA #IMPLIED 
> 
<!ELEMENT VALUE (#PCDATA) > 
<!-- if returned, POST DATA will be urlencoded --> 


<!ELEMENT POST DATA (#PCDATA) > 


<!ELEMENT RESPONSE 
<!ELEMENT COMPLIANC 


DATETIME, COMPLIANCE SCAN) > 


SCAN ( (HEADER, ERROR?, AUTH SCAN ISSUES?, 
APPENDIX) +) > 


Aa 


<!ELEMENT ERROR (#PCDATA) > 
<!ATTLIST ERROR 
number CDATA #IMPLIED 


> 
<!-- INFORMATION ABOUT THE SCAN --> 

<!ELEMENT HEADER (NAME, GENERATION DATETIME, COMPANY INFO, USER_INFO, 
KEY+, ASSET GROUPS?, FODNS?, OPTION PROFILE?) > 
<!ELEMENT NAME (#PCDATA) *> 
<!ELEMENT GENERATION DATETIME (#PCDATA) *> 


<!ELEMENT COMPANY INFO (NAME, ADDRESS, CITY, STATE, COUNTRY, ZIP CODE)> 

<!ELEMENT ADDRESS (#PCDATA) > 

<!ELEMENT CITY (#PCDATA) > 
N 
N 
N 


<!ELEMENT STATE (#PCDATA) > 
T COUNTRY (#PCDATA) > 
T ZIP_CODE (#PCDATA) > 


Z 


<!ELE 
<! ELEME 


<!ELEMENT USER_INFO (NAME, USERNAME?, ROLE)> 
<! ELE T USERNAME (#PCDATA) *> 


N 
N 
<!ELEMENT ROLE (#PCDATA) *> 
N 
N 


Z 


<!ELEMENT FODNS (FODN+) > 
<!ELEMENT FODN (#PCDATA) > 
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x 


<!-- NAME of the asset group with the TYPE attribute with possible values 
of (DEFAULT | EXTERNAL | ISCANNER) --> 

<!ELEMENT ASSET GROUP (ASSET_GROUP_TITLE)> 

<!ELEMENT ASSET GROUPS (ASSET GROUP+) > 
<!ELEMENT ASSET GROUP TITLE PCDATA) > 
<!ELEMENT OPTION PROFILE (OPTION PROFILE TITLE) > 
<!ELEMENT OPTION PROFILE TITLE (#PCDATA) > 
<!ATTLIST OPTION PROFILE TITLE 
option profile default CDATA IMPLIED 


> 

<!ELEMENT AUTH SCAN ISSUES (AUTH SCAN FAILED*, AUTH SCAN INSUFFICIENT*) > 
<!ELEMENT AUTH SCAN FAILED (HOST INFO*)> 

<!ELEMENT AUTH SCAN INSUFFICIENT (HOST INFO*)> 

<!ELEMENT HOST INFO (DNS, IP, NETBIOS, INSTANCE, CAUSE, NETWORK) > 
<!ELEMENT DNS (#PCDATA) > 

<!ELEMENT IP (#PCDATA) > 

<!ELEMENT NETBIOS (#PCDATA) > 

<!ELEMENT INSTANCE (#PCDATA) > 

<!ELEMENT CAUSE (#PCDATA) > 

<!ELEMENT NETWORK (#PCDATA) > 

<!ELEMENT APPENDIX (TARGET HOSTS?, TARGET DISTRIBUTION?, 


AUTHENTICATION?, OS AUTH BASED TECHNOLOGY LIST?, 
AUTH DISCOVERY INSTANCE LIST?, AUTH DISCOVERY INSTANCE NOT FOUND LIST?, 
AUTH DISCOVERY INSTANCE NOT COLLECTED?) > 

<!ELEMENT TARGET HOSTS (HOSTS SCANNED?, EXCLUDED HOSTS?, 
HOSTS NOT ALIVE?, PAUSE CANCEL ACTION?, 
HOSTNAME NOT FOUND?, HOSTS SCAN ABORTED?) > 
<!ELEMENT HOSTS SCANNED (#PCDATA) > 
<!ELEMENT HOSTNAME NOT FOUND (#PCDATA) > 
<!ELEMENT EXCLUDED HOSTS (#PCDATA) > 
<!ELEMENT HOSTS NOT ALIVE (#PCDATA) > 
<!ELEMENT HOSTS SCAN ABORTED (#PCDATA) > 

<!ELEMENT PAUSE CANCEL ACTION (HOSTS, ACTION, BY) > 
<!ELEMENT ACTION (#PCDATA) > 

<!ELEMENT BY (#PCDATA) > 


<!ELEMENT TARGET DISTRIBUTION (SCANNER+) > 
<!ELEMENT SCANNER (NAME, HOSTS) > 
<!ELEMENT HOSTS (#PCDATA) > 


ENTICATION (AUTH+) > 
TYPE?, (FAILED | SUCCESS | INSUFFICIENT) +) > 
PCDATA) > 


<!ELEMENT OS AUTH BASED TECHNOLOGY LIST (OS AUTH BASED TECHNOLOGY*) > 

<!ELEMENT OS AUTH BASED TECHNOLOGY (TECHNOLOGY FAMILY, 

TECHNOLOGY INSTANCE LIST*) > 

OLOGY FAMILY (#PCDATA) > 

! OLOGY INSTANCE LIST (TECHNOLOGY INSTANCE+) > 

<!ELEMENT TECHNOLOGY INSTANCE (TECHNOLOGY, INSTANCE INFO LIST*, IP)> 
N 
o 


CE INFO LIST (INSTANCE INFO*)> 
OGY (#PCDATA) > 
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<!ELEMENT INSTANCE INFO (#PCDATA) > 

<!ATTLIST INSTANCE INFO key CDATA #IMPLIED> 

<!ELEMENT AUTH DISCOVERY INSTANCE LIST (AUTH DISCOVERY INSTANCE*) > 
<!ELEMENT AUTH DISCOVERY INSTANCE (AUTH TYPE, AUTH PARAM LIST?, IP)> 
<!ELEMENT AUTH DISCOVERY INSTANCE NOT FOUND LIST 

(AUTH DISCOVERY INSTANCE NOT FOUND*) > 

<!ELEMENT AUTH DISCOVERY INSTANCE NOT FOUND (AUTH TYPE, IP)> 
<!ELEMENT AUTH DISCOVERY INSTANCE NOT COLLECTED (AUTH TYPE LIST*)> 
<!ELEMENT AUTH TYPE LIST (AUTH TYPE*)> 

<!ELEMENT AUTH PARAM LIST (AUTH PARAM+) > 

<!ELEMENT AUTH TYPE (#PCDATA) > 

<!ELEMENT AUTH PARAM (#PCDATA) > 

<!ATTLIST AUTH PARAM name CDATA #IMPLIED> 

<!ELEMENT FAILED (IP, INSTANCE?) > 

<!ELEMENT SUCCESS (IP, INSTANCE?) > 

<!ELEMENT INSUFFICIENT (IP, INSTANCE?) > 

<!-- EOF --> 


XPaths for Compliance Scan Result Output 


XPath element specifications / notes 
/COMPLIANCE_SCAN_RESULT_OUTPUT (REQUEST?, RESPONSE) 
/COMPLIANCE_SCAN_RESULT_OUTPUT/REQUEST 

DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA) 
/COMPLIANCE_SCAN_RESULT_OUTPUT/REQUEST/DATETIME (#PCDATA) 

The date and time the scan was launched. 
/COMPLIANCE_SCAN_RESULT_OUTPUT/REQUEST/USER_LOGIN (#PCDATA) 

The login ID of the user who launched the scan. 
/COMPLIANCE_SCAN_RESULT_OUTPUT/REQUEST/RESOURCE (#PCDATA) 

The resource specified for the request. 
/COMPLIANCE_SCAN_RESULT_OUTPUT/REQUEST/PARAM_LIST (PARAM+) 
/COMPLIANCE_SCAN_RESULT_OUTPUT/REQUEST/PARAM_LIST/PARAM (KEY, VALUE) 
/COMPLIANCE SCAN RESULT OUTPUT/REOUEST/PARAM LIST/PARAM/KEY  (*PCDATA) 

An input parameter name. 

/COMPLIANCE SCAN RESULT. OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE (#PCDATA) 

An input parameter value. 

/COMPLIANCE SCAN RESULT OUTPUT/REOUEST/POST DATA  (*PCDATA) 

The POST data. 

/COMPLIANCE SCAN RESULT. OUTPUT/RESPONSE (DATETIME, COMPLIANCE_SCAN) 
/COMPLIANCE SCAN RESULT. OUTPUT/RESPONSE/DATETIME (#PCDATA) 


The date and time of the response. 
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element specifications / notes 


/COMPLIANCE. SCAN. RESU 


UTPUT/RESPONSE/COMPLIANCE_SCAN 
((HEADER, ERROR?, AUTH_SCAN_ISSUES?, APPENDIX)+) 


/COMPLIANCE_SCAN_RESU 


UTPUT/RESPONSE/COMPLIANCE_SCAN/ HEADER 


(NAME, GENERATION_ 
GROUPS?, OPTION PROFILE?) 


DATETIME, COMPANY_INFO, USER_INFO, KEY+ 


RESPONSE/COMPLIANCE_SCAN/ HEADER/NAME 


(#PCDATA) 


/ 
[The name of the scan. 
/RESPONSE/COMPLIANCE_SCAN/HEADER/GENERATION_DATETIME 


te and time when the scan was launched. 


RESPONSE/COMPLIANCE_SCAN/ HEADER/COMPANY_INFO 


The company name a 


a 
/ 

(NAME, ADDRESS, CITY, STATE, COUNTRY, ZIP. CODE) 
/RESPONSE/COMPLIANCE_SCAN/ HEADER/COMPANY_INFO/NAME 


ssociated with the account used to launch the scan. 


UTPUT/RESPONSE/COMPLIANCE_SCAN/ 


SS  (*PCDATA) 


The street address associated with the account used to launch the scan. 


The city associated wi 


UTPUT/RESPONSE/COMPLIANCE_SCAN/ HEADER/COMPANY_INFO/CITY 


th the account used to launch the scan. 


The city associated wi 


UTPUT/RESPONSE/COMPLIANCE_SCAN/ HEADER/COMPANY_INFO/STATE 


th the account used to launch the scan. 


(4PCDATA) 


PUT/RESPONSE/COMPLIANCE_SCAN/ 


The country associated with the account used to launch the scan. 


UTPUT/RESPONSE/COMPLIANCE_SCAN/ 


(4PCDATA) 


The zip code associated with the account used to launch the scan. 


/COMPLIANCE. SCAN. RESUL 


_OUTPUT/RESPONSE/COMPLIANCE_SCAN/ HEADER/USER. INFO 
NAME, USERNAME, ROLE) 


DER/USER_INFO/NAM 


/COMPLIANCE_SCAN_RESU 
E 


The name of the user 


PUT/RESPONSE/COMPLIANCE_SCAN/ 
(4PCDATA 


who launched the scan. 


OMPLIANCE SCAN RES 


DATA) 


UTPUT/RESPONSE/COMPLIANCE_SCAN/ HEADER/USER_INFO/USERNAME 


The user login of the user who launched the scan. 


OMPLIANCE_SCAN_RE 


U 
DER/USER_INFO/ROLE 


UTPUT/RESPONSE/COMPLIANCE_SCAN/ 
(#PCDATA) 


The user role assigned to the user who launched the scan. 


OMPLIANCE_SCAN_RES 23 
DER/ASSET. GROUPS/ASSET. GROUP 


U 


UTPUT/RESPONSE/COMPLIANCE_SCAN/ 


(ASSET_GROUP_TITLE) 
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XPath element specifications / notes 
/COMPLIANCE SCAN RESULT. OUTPUT/RESPONSE/COMPLIANCE. SCAN/ 
EADER/FODNS (FQDN+) 
/COMPLIANCE SCAN RESULT OUTPUT/RESPONSE/COMPLIANCE. SCAN/ 
EADER/FODNS/FODN — (4PCDATA) 
The target FODN for a compliance scan. 
/COMPLIANCE SCAN RESULT. OUTPUT/RESPONSE/COMPLIANCE. SCAN/ 
EADER/ASSET. GROUPS (ASSET_GROUP+) 
/COMPLIANCE SCAN RESULT OUTPUT/RESPONSE/COMPLIANCE. SCAN/ 
EADER/ASSET. GROUPS /ASSET. GROUP TITLE  (PCDATA) 
The title of an asset group in the scan target. 


/COMPLIANCE SCAN RESULT. OUTPUT/RESPONSE/COMPLIANCE SCAN/ HEADER/OPTION. PROFILE 
OPTION PROFILE TITLE) 


SCAN RESULT. OUTPUT/RESPONSE/COMPLIANCE SCAN/ 
FILE/OPTION. PROFILE TITLE (#PCDATA 


The title of the option profile used. 
/COMPLIANCE SCAN RESULT. OUTPUT/RESPONSE/COMPLIANCE. SCAN/ERROR (#PCDATA) 


An error description. 


attribute: number An error number (implied) 
/COMPLIANCE. SCAN. RESULT. OUTPUT/RESPONSE/COMPLIANCE. SCAN/AUTH. SCAN ISSUES 

AUTH_SCAN_FAILED, AUTH. SCAN IN SUFFICIENT) 
/COMPLIANCE. SCAN. RESULT. OUTPUT/RESPONSE/COMPLIANCE, SCAN/ 

AUTH. SCAN ISSUES/AUTH. SCAN. FAILE (HOST. INFO) 

/COMPLIANCE. SCAN. RESULT. OUTPUT/RESPONSE/COMPLIANCE, SCAN/ 

AUTH. SCAN ISSUES/AUTH. SCAN FAILED/HOST. INFO (DNS, P, NETBIOS, INSTANCE, CAUSE, NETWORK) 
/COMPLIANCE. SCAN. RESULT. OUTPUT/RESPONSE/COMPLIANCE,. SCAN/ 

AUTH. SCAN ISSUES/AUTEH. SCAN. FAILED/HOST. INFO/DNS (#PCDATA) 

The DNS name of a host that failed authentication. 
/COMPLIANCE_SCAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/ 
AUTH_SCAN_ISSUES/AUTH_SCAN_FAILED/HOST_INFO/IP (#PCDATA) 

The IP address of a host that failed authentication. 
/COMPLIANCE_SCAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/ 
AUTH_SCAN_ISSUES/AUTH_SCAN_FAILED/HOST_INFO/NETBIOS (#PCDATA) 


The NetBIOS hostname of a host that failed authentication. 


/COMPLIANCE_SCAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/ 
AUTH_SCAN_ISSUES/AUTH_SCAN_FAILED/HOST_INFO/INSTANCE  (#PCDATA) 


ailed authentication. 


CAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/ 
UES/AUTH_SCAN_FAILED/HOST_INFO/CAUSE — (*PCDATA) 

Additional information for a host that failed authentication. This may 
include the login ID used during the authentication attempt. 


/COMPLIANCE_SCAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/ 
AUTH SCAN ISSUES/AUTH. SCAN FAILED/HOST INFO/NETWORK  (#PCDATA) 


Network information for a host that failed authentication. You will see this 
element in the API output when the Network Support feature is enabled. 


/COMPLIANCE SCAN RESULT OUTPUT/RESPONSE/COMPLIANCE. SCAN/ 
AUTH SCAN ISSUES/AUTH. SCAN INSUFFICIENT (HOST INFO) 
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XPath element specifications / notes 
/COMPLIANCE SCAN RESULT. OUTPUT/RESPONSE/COMPLIANCE. SCAN/ 
AUTH. SCAN ISSUES/AUTH. SCAN INSUFFICIENT/HOST. INFO 

DNS, IP, NETBIOS, INSTANCE, CAUSE) 


/COMPLIANCE SCAN RESULT. OUTPUT/RESPONSE/COMPLIANCE. SCAN/ 
AUTH SCAN ISSUES/AUTH. SCAN INSUFFICIENT/HOST INFO/DNS  (#PCDATA) 


The DNS name of a host that failed authentication due to insufficient 
privileges. 
/COMPLIANCE. SCAN. RESULT. OUTPUT/RESPONSE/COMPLIANCE,. SCAN/ 
AUTH_SCAN_ISSUES/AUTH_SCAN_INSUFFICIENT/HOST_INFO/IP (#PCDATA) 

The IP address of a host that failed authentication due to insufficient 
privileges. 
/COMPLIANCE_SCAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/ 
AUTH_SCAN_ISSUES/AUTH_SCAN SUFFICIENT/HOST_INFO/NETBIOS (#PCDATA) 

The NetBIOS hostname of a host that failed authentication due to 
insufficient privileges. 


/COMPLIANCE_SCAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/ 
AUTH_SCAN_ISSUES/AUTH_SCAN_INSUFFICIENT/HOST_INFO/INSTANCE — (4PCDATA) 


The instance of the host that failed authentication due to insufficient 
privileges. 
/COMPLIANCE_SCAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/ 
AUTH_SCAN_ISSUES/AUTH_SCAN_INSUFFICIENT/HOST_INFO/CAUSE (#PCDATA) 


S 
Additional information for a host that failed authentication due to 
insufficient privileges. This may include the login ID used during the 
authentication attempt. 


/COMPLIANCE SCAN. RESULT OUTPUT/RESPONSE/COMPLIANCE SCAN/APPENDIX 


'ARGET_HOSTS,?, TARGET DISTRIBUTION?, AUTHENTICATION?, 
OS AUTH BASED TECHNOLOGY LIST?, 
AUTH. DISCOVERY INSTANCE LIST?, 

AUTH. DISCOVERY INSTANCE NOT. FOUND LIST?, 
AUTH. DISCOVERY. INSTANCE NOT. COLLECTED?) 


/COMPLIANCE SCAN RESULT OUTPUT/RESPONSE/COMPLIANCE. SCAN/APPENDIX/TARGET. HOSTS 


HOSTS SCANNED?, EXCLUDED HOSTS?, HOSTS NOT. ALIVE?, 
PAUSE CANCEL ACTION?, HOSTNAME NOT. FOUND?, 
HOSTS SCAN ABORTED? 


/COMPLIANCE SCAN RESULT. OUTPUT/RESPONSE/COMPLIANCE. SCAN/ 
APPENDIX/TARGET HOSTS/HOSTS SCANNED (#PCDATA 


Target hosts that were scanned. 


SULT. OUTPUT/RESPONSE/COMPLIANCE. SCAN/ 
XCLUDED HOSTS  (#PCDATA) 


T 
O 
“n mi 
WN 
inc 
m 


Target hosts that were excluded from the scan target. 


RESULT. OUTPUT/RESPONSE/COMPLIANCE. SCAN/ 
HOSTS/HOSTS NOT ALIVE (#PCDATA) 


Target hosts that were not alive. 


ESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/ 
HOSTS/HOSTNAME NOT FOUND  (#PCDATA) 


Target hosts that were not found. 
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XPath element specifications / notes 
/COMPLIANCE_SCAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/ 
APPENDIX/TARGET_HOSTS/HOSTS_SCAN_ABORTED (#PCDATA) 

Target hosts on which the scan was aborted. 
/COMPLIANCE_SCAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/APPENDIX/ 
TARGET_HOSTS/PAUSE_CANCEL_ACTION (HOSTS, ACTION, BY) 
/COMPLIANCE_SCAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/APPENDIX/ 
TARGET. HOSTS/PAUSE CANCEL ACTION/HOSTS  (#PCDATA) 

The target hosts that an action (pause or cancel) was taken on. 
/COMPLIANCE SCAN. RESULT. OUTPUT/RESPONSE/COMPLIANCE. SCAN/APPENDIX/ 
TARGET. HOSTS/PAUSE CANCEL ACTION/ACTION | (4PCDATA) 

An action (pause or cancel) taken by a user on a scan. 
/COMPLIANCE SCAN RESULT. OUTPUT/RESPONSE/COMPLIANCE. SCAN/APPENDIX/ 

ARGET. HOSTS/PAUSE CANCEL ACTION/BY (#PCDATA) 

The user who took an action (pause or cancel). 
/COMPLIANCE SCAN. RESULT. OUTPUT/RESPONSE/COMPLIANCE. SCAN/APPENDIX/ 
TARGET. DISTRIBUTION SCANNER+) 
/COMPLIANCE_SCAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/APPENDIX/ 
TARGET_DISTRIBUTION/SCANNE NAME, HOSTS) 
/COMPLIANCE_SCAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/APPENDIX/ 
TARGET. DISTRIBUTION/SCANNER/NAME  (#PCDATA 

The name of a scanner appliance used. 
/COMPLIANCE_SCAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/APPENDIX/ 
TARGET. DISTRIBUTION/SCANNER/HOSTS — (#PCDATA) 

The compliance hosts that were scanned 
/COMPLIANCE_SCAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/APPENDIX/ 
AUTHENTICATION (AUTH+) 
/COMPLIANCE_SCAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/APPENDIX/ 
AUTHENTICATION/AUT TYPE?, (FAILED | SUCCESS | INSUFFICIENT)+) 
/COMPLIANCE_SCAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/APPENDIX/ 
AUTHE CATION/AUTH/TYPE (#PCDATA) 

The authentication type. 
/COMPLIANCE_SCAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/APPENDIX/ 
AUTHENTICATION/AUTH/FAILED (IP, INSTANCE?) 

A list of IP addresses with failed authentication. 
/COMPLIANCE_SCAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/APPENDIX/ 
AUTHE CATION/AUTH/SUCCESS IP INSTANCE?) 

A list of IP addresses with successful authentication. 
/COMPLIANCE_SCAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/APPENDIX/ 
AUTHENTICATION/AUTH/INSUFFICIENT (IP,.INSTANCE?) 

A list of IP addresses with insufficient privileges for authentication. 
/COMPLIANCE_SCAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/APPENDIX/OS_AUTH_BASED_TECH 
NOLOGY LIST (OS AUTH BASED. TECHNOLOGY'*) 

/COMPLIANCE SCAN. RESULT. OUTPUT/RESPONSE/COMPLIANCE. SCAN/APPENDIX/ 
OS AUTH BASED TECHNOLOGY LIST/OS AUTH BASED TECHNOLOGY LIST (TECHNOLOGY. FAMILY, 
TECHNOLOGY INSTANCE LIST*) 
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/COMPL 


OS AUT 
(#PCDATA) 


ANCE_SCAN_RESU 
H_BASED_TECHNOLOGY_LIST/OS_AUTH_BAS 


LT_OUTPU 


The 


T/RESPONSE/COMP 


technology fami 


yo 


AN 


f the 


C 
el) MECIal 


di 


E SCAN/APPEN 
NOLOGY LIST / 


DIX/ 
ECHNOLOGY. FAMILY 


scovered instance. 


/COMPL 


OS AUT 


ST 


(TECHNOLOG 


ANCE_SCAN _ 
BASEDARES 


RESU 


Y, INSTANCE_INFO 


LT_OUTPU 
HNOLOGY_LIST/OS_AU 


H_BAS 


T/RESPONSE/COMP 


ED 


MEG 


LIST*, IP) 


ANG 


E SCAN/APPEN 
NOLOGY LIST/ 


DIX/ 
BG 


NOLOGY_INSTANCE_LI 


/COMPL 


05 AUT 
ST/TECHN 


ANCE_SCAN_ 
BASED TEC 
OLOGY (# 


RESU 


PCDATA) 


LT_OUTPU 
HNOLOGY_LIST/OS_AU 


Technology of 


H_BAS 


T/RESPONSE/COMP 


the instance. 


ANC 
SD MEE 


E_SCAN/APPEN 
NOLOGY_LIST/ 


DIX/ 
EG 


NOLOGY_INSTANCE_LI 


/COMPL 
OS. A 


UT 


ANCE_SCAN_ 
SPASEDSNEC 


ST/ INS 


ANGES 


RESUL 


010) 
HNOLOGY_LI 
INFO LIST (INSTANC 


PU 


ST/OS AU 
IE 


H 


/RESPONSE/COMPLIANCE_SCAN/APPEN 
ERASE Dai: © 
_INFO, INSTANCE_INFO 


key CDATA) 


DIX/ 
EG 


NOLOGY_LIST/ NOLOGY_INSTANCE_LI 


/ 
/COMPL 
OS. A 


ANGE SCAN 


S 


GES 


RESUL 


= aa OW 
_BASED_TECHNOLOGY_LI 
NFO LIST/INSTANCE 


PU 


In 


ST/OS AU 
INFO 


H 


/RESPONSE/COMPLIANCE_SCAN/APPEN 
_BASED_TEC 
(#PCDATA) 


formation related to the instance. 


DIX/ 
IEC 


NOLOGY_LIST/ NOLOGY_INSTANCE_LI 


/COMPL 
OS. A 


UT 


ANCE 
H 


ST/INS 


ANGES 


. SGAN. RESULT. OUTPU 
BASED TECHNOLOGY LI 
NFO_LIST/INSTANCE 


In 


I 


T/RESPONSE/COMPLIAN 
ST/OS_AUTH_BASED_TEC 
FO key CDATA 


formation related to 


#IMPL 


the ins 


CE_SCAN/APPEN 


tance key. 


DIX/ 
ECHNOLOGY_INSTANCE_LI 


NOLOGY_LIST/ 


ED) 


/COMPL 
AUTH 


_DISCOV. 


ANCE 


SCAN, IX 
ERY_INSTANC 


ESUL 


OY) 
ES 


PU 


/RESPON 
AUTH_D 


SE/COMP 
SCOVERY_ 


LIAN 


CE_SCAN/APPEN 
INSTANCE*) 


DIX/ 


/COMPL 
AUTH 


DISCOV: 


ANCE 


SCAN_R 
ERY_INSTANC 


ESUL 


OY) 
SALU 


PU 


/RESPON 


/AUTH_ 


DISC 


SE/COMP 
OVERY_INSTANCE 


LIAN 


CE_SCAN/APPEN 


DIX/ 


(AUTH_TYPE, AUTH_PARAM_LIST?, IP) 


/COMPL 
AUTH 


_DISCOV. 


ANCE 


SCAN_R 
ERY_INSTANC 


ESUL 


ON) 
Emel 


PU 


/RESPON 


/AU 


The authentication types for 
WebSphere App Server a 


ll USE 


SE/COMP 


LIAN 


nd 


CE_SCAN/APPEN 
OVERY_INSTANCE/AUTH_TYPE 


DIX/ 
(#PCDATA) 


instance discovery: Apache Web Server, IBM 
boss Server. 


/COMPLIANCE_SCAN_R 
DISCOVERY. INSTANC 


AUTH 


ES 


ULT OU 
EMAL 


PU 


/RESPON 


/A 


U 


SE/COMPL 


ANCE_SCAN/APPENDIX/ 
H_DISCOVERY_INSTANCE/AUTH_PARAM_LIST 


(AUTH_PARAM+) 


/COMPLIANCE_SCAN_R 
DISCOVERY. INSTANC 
(#PCDATA) 


AUTH 


AUTH_PARAM 


attri 


bute: name 


ESUL 


OY) 
ETS 


PU 


/RESPON 


/A 


The 
apac 
The 


hom 
path 
The 

hom 


ins 


ins 


ins 


UT 


tance con 
he 
tance con 


nstance con 
e path, jboss 


tance con 
e di 


The parameter name 


, jboss config host 
figurat 
rectory and apache to 


SE/COMPL 


figurati 
control command. 
figurati 
Installation directory. 
The i figurati 
base p 


f 


(impl 


O 


O 


on pa 


ile pat 


ion 


ANCE_SCAN/APPENDIX/ 
H_DISCOVERY_INSTANCE/AUTH_PARAM_LIST/ 


ied). 


n parameters Apache: apache config file and 


n parameter IBM WebSphere: websphere 


ameters JBoss: jboss domain mode, jboss 


ath, jboss config directory path, jboss config file 


n. 


parameters Tomcat Server: apache tomcat 


mcat base directory. 


/COMPLIANCE SCAN RESULT OU 


ne 
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or mo 


TPUT/RESPONSE/COMPLIANCE_SCAN/APPENDIX/ 
AUTH_DISCOVERY_INSTANCE_LIST/AUTH_DISCOVERY_INSTANCE/IP 


The IP address with o 


(#PCDATA) 


re discovered instances. 
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XPath element specifications / notes 


/COMPLIANCE SCAN. RESULT. OUTPUT/RESPONSE/COMPLIANCE. SCAN/APPENDIX/ 
AUTH DISCOVERY INSTANCE NOT FOUND /((AUTH DISCOVERY INSTANCE NOT. FOUND')) 


/COMPLIANCE SCAN. RESULT. OUTPUT/RESPONSE/COMPLIANCE. SCAN/APPENDIX/ 
AUTH DISCOVERY INSTANCE NOT FOUND/AUTH DISCOVERY INSTANCE NOT FOUND (AUTH TYPE, IP) 


/COMPLIANCE SCAN. RESULT. OUTPUT/RESPONSE/COMPLIANCE. SCAN/APPENDIX/ 
AUTH DISCOVERY INSTANCE NOT. FOUND/AUTH. DISCOVERY INSTANCE NOT. FOUND/ 
AUTH TYPE  (#PCDATA) 


The authentication type for instance discovery: Apache Web Server, IBM 
WebSphere App Server, Jboss Server and Tomcat Server. 


OUTPUT/RESPONSE/COMPLIANCE_SCAN/APPENDIX/ 
AUTH_DISCOVERY_INSTANCE_NOT_FOUND/AUTH_DISCOVERY_INSTANCE_NOT_FOUND/IP (#PCDATA) 


The IP address that was successfully scanned but no instances were found. 
/COMPLIANCE_SCAN_RES 


© ULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/APPENDIX/ 
ELEMENT AUTH_DISCOVERY_INSTANCE_NOT_COLLECTED (AUTH TYPE LIST*) 


/COMPLIANCE_SCAN_RESULT_OUTPUT/RESPONSE/COMPLIANCE_SCAN/APPENI 

ELEMENT AUTH_DISCOVERY_INSTANCE_NOT_COLLECTED/ AUTH. TYPE LIST (AUTH. TYPE*) 

/COMPLIANCE SCAN. RESULT. OUTPUT/RESPONSE/COMPLIANCE. SCAN/APPENDIX/ 

ELEMENT AUTH DISCOVERY INSTANCE NOT. COLLECTED/ AU TYPE LIST/ AUTH TYPE (4PCDATA) 


D 
) 
D 


= Mi 


The authentication types for which no instances are found on any scanned 
assets. 
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VM Recrypt Results (Scan Statistics) 
API used 


<platform API server>/api/2.0/fo/scan/stats/?action=list 


DTD for VM Recrypt Results 
<platform API server>/api/2.0/fo/scan/stats/vm_recrypt_results.dtd 


A recent DTD is shown below. 
<!ELEMENT TASK PROCESSING (UNPROCESSED SCANS?, VM RECRYPT BACKLOG?, 
VM RECRYPT BACKLOG BY SCAN?, VM RECRYPT BACKLOG BY TASK?) > 
<!ELEMENT UNPROCESSED SCANS (#PCDATA) > 
<!ELEMENT VM RECRYPT BACKLOG (#PCDATA) > 
<!ELEMENT VM RECRYPT BACKLOG BY SCAN (SCAN*) > 
<!ELEMENT VM RECRYPT BACKLOG BY TASK (SCAN*) > 
<!ELEMENT SCAN (1D?, TITLE?, STATUS?, PROCESSING PRIORITY?, COUNT?, 
NBHOST?, TO PROCESS?, PROCESSED?, SCAN DATE?, SCAN UPDATED DATE?, 
TASK TYPE?, TASK STATUS?, TASK UPDATED DATE?) > 
<!ELEMENT ID (#PCDATA) > 
<!ELEMENT TITLE PCDATA) > 
<!ELEMENT STATUS (4PCDATA) > 
<!ELEMENT PROCESSING PRIORITY (#PCDATA) > 
<!ELEMENT COUNT (#PCDATA) > 
<!ELEMENT NBHOST (4PCDATA) > 
<!ELEMENT TO PROCESS (#PCDATA) > 
<!ELEMENT PROCESSED (#PCDATA) > 
<!ELEMENT SCAN DATE (#PCDATA) > 
<!ELEMENT SCAN UPDATED DATE (#PCDATA) > 
<!ELEMENT TASK TYPE (#PCDATA) > 
<!ELEMENT TASK STATUS (#PCDATA) > 
<!ELEMENT TASK UPDATED DATE (#PCDATA) > 


XPaths for VM Recrypt Results 
This section describes the XPaths for VM Recrypt Results (vm_recrypt_results.dtd). 


XPath element specifications / notes 
/TASK_PROCESSING 
(UNPROCESSED_SCANS?, VM_RECRYPT_BACKLOG?, 
VM. RECRYPT. BACKLOG BY SCAN?, VM. RECRYPT. BACKLOG BY TASK?) 
/TASK PROCESSING/UNPROCESSED SCANS  (*PCDATA) 
The total number of scans that are not processed, including scans that are 
gueued, running, loading, finished, etc. 
/TASK. PROCESSING/VM. RECRYPT. BACKLOG (#PCDATA) 


[he total number of assets across your finished scans that are waiting to be 
processed. 
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XPath element specifications / notes 
/TASK. PROCESSING/VM. RECRYPT BACKLOG BY SCAN (SCAN) 


Scan details for vulnerability scans that are waiting to be processed. For 
each scan, you'll see the scan ID, scan title, scan status, processing priority 
and number of hosts that the scan finished but not processed. 


/TASK. PROCESSING/VM. RECRYPT BACKLOG BY TASK  (SCAN”) 


Processing task details for vulnerability scans that are waiting to be 
processed. For each task, you'll see the same scan details as VM RECRYPT 
BACKLOG BY SCAN plus additional information like the total hosts alive for 
the scan, the number of hosts from the scan that have been processed, the 
number of hosts waiting to be processed, the scan start date, the task type 
and task status. 


/TASK. PROCESSING/.../SCAN 


(ID?, TITLE?, STATUS?, PROCESSING. PRIORITY?, COUNT?, NBHOST?, 
TO PROCESS?, PROCESSED?, SCAN DATE?, SCAN UPDATED. DATE?, 
ASK TYPE?, TASK STATUS?, TASK UPDATED. DATE?) 


/TASK PROCESSING/.../SCAN/ID  (#PCDATA) 


[he scan ID. 


/TASK_PROCESSING/.../SCAN/TITLE (#PCDATA) 


The scan title. 


/TASK_PROCESSING/.../SCAN/STATUS (#PCDATA) 
The scan status. 
/TASK_PROCESSING/.../SCAN/PROCESSING_PRIORITY (#PCDATA) 


[he processing priority setting for the scan. 


/TASK_PROCESSING/.../SCAN/COUNT  (#PCDATA) 

The number of hosts that the scan finished but not processed. 
/TASK_PROCESSING/.../SCAN/NBHOST  (*PCDATA) 

The number of total hosts alive for the scan. 
/TASK_PROCESSING/.../SCAN/TO_PROCESS (#PCDATA) 

The number of hosts waiting to be processed. 
/TASK_PROCESSING/.../SCAN/PROCESSED (4PCDATA) 

The number of hosts from the scan that have been processed. 
/TASK. PROCESSING/.../SCAN/SCAN DATE (4PCDATA) 


[he scan start date. 
/TASK_PROCESSING/.../SCAN/SCAN_UPDATED_DATE (#PCDATA) 


The scan updated date. 
/TASK_PROCESSING/.../SCAN/TASK_TYPE (#PCDATA) 

The task type “VM Scan Processing”. 
/TASK_PROCESSING/.../SCAN/TASK_STATUS (#PCDATA) 


The task processing status. 
/TASK_PROCESSING/.../SCAN/TASK_UPDATED_DATE (#PCDATA) 
The task updated date. 
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Scan Summary Output 


API used 


<platform API server>/api/2.0/fo/scan/summary/?action=list 


DTD for Scan Summary Output 
<platform API server>/api/2.0/fo/scan/summary/scan_summary_output.dtd 


A recent DTD is shown below. 


<!-- QUALYS SCAN SUMMARY OUTPUT.DTD --> 
<!-- SRevision$ --> 
<!ELEMENT SCAN SUMMARY OUTPUT (REQUEST ?, RESPONSE) > 


<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 
<!ELEMENT DATETIME (#PCDATA) > 
<!ELEMENT USER LOGIN (#PCDATA) > 
<!ELEMENT RESOURCE (#PCDATA) > 
<!ELEMENT PARAM LIST (PARAM+) > 
<!ELEMENT PARAM (KEY, VALUE) > 
<!ELEMENT KEY (#PCDATA) > 
M 
i 
M 


zo] 


<!ELEMENT VALUE (#PCDATA)> 
<!-- if returned, POST_DATA will be urlencoded --> 
<!ELEMENT POST_DATA (#PCDATA) > 


<!ELEMENT RESPONSE (DATETIME, SCAN SUMMARY LIST?) > 
<!ELEMENT SCAN SUMMARY LIST (SCAN SUMMARY*) > 
<!ELEMENT SCAN SUMMARY (SCAN _REF?, SCAN DATE?, HOST SUMMARY*) > 
<!ELEMENT SCAN REF (#PCDATA) > 
<!ELEMENT SCAN DATE (#PCDATA) > 

<!ELEMENT HOST SUMMARY (#PCDATA) > 


<!ATTLIST HOST SUMMARY category CDATA #IMP 
<!ATTLIST HOST SUMMARY tracking CDATA #IMP 
<!-- EOF --> 


IED> 
IED> 


XPaths for Scan Summary Output 


XPath element specifications / notes 
/SCAN. SUMMARY OUTPUT (REOUEST?, RESPONSE) 


/SCAN SUMMARY OUTPUT/REOUEST 
(DATETIME, USER. LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 
/SCAN SUMMARY OUTPUT/REOUEST/DATETIME — (4PCDATA) 

The date and time of the request. 
/SCAN_SUMMARY_OUTPUT/REQUEST/USER_LOGIN (#PCDATA) 


The user login ID of the user who made the request. 
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XPath element specifications / notes 
/SCAN SUMMARY OUTPUT/REOUEST/RESOURCE  (#PCDATA) 
The resource specified for the reguest. 
[SCAN SUMMARY OUTPUT/REOUEST/PARAM LIST (PARAM+) 
/SCAN SUMMARY OUTPUT/REOUEST/PARAM LIST/PARAM (KEY, VALUE) 
/SCAN SUMMARY OUTPUT/REOUEST/PARAM LIST/PARAM/KEY  (#PCDATA) 
The input parameter name. 
/SCAN SUMMARY OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE  (#PCDATA) 
The input parameter value. 
/SCAN SUMMARY OUTPUT/REOUEST/POST DATA — (4PCDATA) 
he POST data, if any. 
[SCAN. SUMMARY OUTPUT/RESPONSE DATETIME, SCAN. SUMMARY LIST?) 
[SCAN. SUMMARY OUTPUT/RESPONSE/SCAN. SUMMARY LIST 
(SCAN. SUMMARY”) 
[SCAN. SUMMARY OUTPUT/RESPONSE/SCAN. SUMMARY LIST/SCAN. SUMMARY 
(SCAN_REF?, SCAN. DATE?, HOST. SUMMARY') 
/SCAN SUMMARY. OUTPUT/RESPONSE/SCAN. SUMMARY LIST/SCAN SUMMARY/SCAN REF  (#PCDATA) 
The scan reference ID. 
/SCAN. SUMMARY. OUTPUT/RESPONSE/SCAN. SUMMARY LIST/SCAN SUMMARY/SCAN DATE  (#PCDATA) 
The scan date. 
[SCAN. SUMMARY OUTPUT/RESPONSE/SCAN. SUMMARY LIST/SCAN. SUMMARY/HOST. SUMMARY 
(#PCDATA) 
The host(s) that were included in the target but not scanned for some 
reason. 


attribute: category 


attribute: tracking 


The host’s tracking method (implied). 


The category/reason the host was not scanned (implied). 
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Scanner List Output 


API used 


<platform API server>/api/2.0/fo/scan/scanner/?action=list 


DTD for Scanner List Output 
<platform API server>/api/2.0/fo/scan/scanner/scanner_list_output.dtd 


A recent DTD is shown below. 


<!-- QUALYS SCANNER LIST OUTPUT.DTD --> 
<!-- SRevision$ --> 
<!ELEMENT IP SCANNERS LIST OUTPUT (REOUEST?, RESPONSE) > 


<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 
<!ELEMENT DATETIME (#PCDATA) > 

<!ELEMENT USER LOGIN (#PCDATA) > 


<!ELEMENT RESOURCE (#PCDATA) > 

<!ELEMENT PARAM LIST (PARAM+) > 

<!ELEMENT PARAM (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 

<!ELEMENT VALUE (#PCDATA) > 

<!-- if returned, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 

<!ELEMENT RESPONSE (DATETIME, IP SCANNERS OUTPUT?) > 
<!ELEMENT IP SCANNERS OUTPUT (IP SCANNED*) > 
<!ELEMENT IP SCANNED (IP, SCAN REF, SCAN DATE, SCANNER IDENTIFIER, 
SCANNER TYPE, ML VERSION, VULNSIGS VERSION) > 


<!ELEMENT IP (#PCDATA) > 
<!ELEMENT SCAN REF (#PCDATA) > 

<!ELEMENT SCAN DATE PCDATA) > 
<!ELEMENT SCANNER IDENTIFIER (#PCDATA) > 
<!ELEMENT SCANNER TYPE (#PCDATA) > 
<!ELEMENT ML VERSION (#PCDATA) > 
<!ELEMENT VULNSIGS VERSION (#PCDATA) > 


ei te. tel ES E 


<!-- EOF --> 
XPaths for Scanner List Output 


XPath element specifications / notes 
(IP SCANNERS LIST OUTPU (REOUEST?, RESPONSE) 


(IP. SCANNERS LIST OUTPUT/REOUEST 
(DATETIME, USER. LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 
/IP SCANNERS LIST OUTPUT/REOUEST/DATETIME  (#PCDATA) 


The date and time of the request. 
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/IP SCANNERS LIST OUTPUT/REOUEST/USER LOGIN (#PCDATA) 
The user login ID of the user who made the reguest. 
/IP SCANNERS LIST OUTPUT/REOUEST/RESOURCE — (4PCDATA) 
The resource specified for the reguest. 
/IP SCANNERS LIST OUTPUT/REOUEST/PARAM LIST (PARAM+) 
/IP SCANNERS LIST OUTPUT/REOUEST/PARAM LIST/PARAM (KEY, VALUE) 
/IP SCANNERS LIST OUTPUT/REOUEST/PARAM LIST/PARAM/KEY — (4PCDATA) 
The input parameter name. 
/IP SCANNERS. LIST. OUTPUT/REOUEST/PARAM. LIST/PARAM/VALUE  (#PCDATA) 
The input parameter value. 
/IP SCANNERS LIST. OUTPUT/REOUEST/POST DATA — (4PCDATA) 
The POST data, if any. 
/IP SCANNERS LIST OUTPUT/RESPONSE (DATETIME, IP SCANNERS. OUTPUT?) 
/IP SCANNERS LIST OUTPUT/RESPONSE/IP SCANNERS OUTPU 
(IP_SCANNED*) 
/IP_SCANNERS_LIST_OUTPUT/RESPONSE/IP_SCANNERS_OUTPUT/IP_SCANNED 
(IP, SCAN_REF, SCAN_DATE, SCANNER_IDENTIFIER, SCANNER_TYPE, 
ML_VERSION, VULNSIGS_VERSION) 
/IP_SCANNERS_LIST_OUTPUT/RESPONSE/IP_SCANNERS_OUTPUT/IP_SCANNED/IP (#PCDATA) 
The scanned IP address. 
/IP_SCANNERS_LIST_OUTPUT/RESPONSE/IP_SCANNERS_OUTPUT/IP_SCANNED/SCAN_REF (#PCDATA) 
The scan reference ID. 
/IP SCANNERS LIST. OUTPUT/RESPONSE/IP SCANNERS OUTPUT/IP SCANNED/SCAN DATE (#PCDATA) 
The date ofthe scan. 
(IP. SCANNERS LIST OUTPUT/RESPONSE/IP SCANNERS. OUTPUT/IP. SCANNED/SCANNER IDENTIFIER 
(#PCDATA) 
The scanner identifier (external scanner or scanner appliance name). 
/IP_SCANNERS_LIST_OUTPUT/RESPONSE/IP_SCANNERS_OUTPUT/IP_SCANNED/SCANNER_TYPE (#PCDATA) 
The type of the scanner (extranet or appliance). 
/IP_SCANNERS_LIST_OUTPUT/RESPONSE/IP_SCANNERS_OUTPUT/IP_SCANNED/ML_VERSION (#PCDATA) 
The scanning engine version currently installed on the scanner appliance. 
/IP_SCANNERS_LIST_OUTPUT/RESPONSE/IP_SCANNERS_OUTPUT/IP_SCANNED/VULNSIGS_VERSION 
(#PCDATA) 


The vulnerability signatures version curren 
appliance. 


tly installed on the scanner 
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PCI Scan Share Status Output 
API used 


<platform API server>/api/2.0/fo/scan/pci/?action=share 


DTD for PCI Scan Share Status Output 
<platform API server>/api/2.0/fo/scan/pci/pci scan share status.dtd 
A recent DTD is shown below. 


<!-- OUALYS PCI SCAN SHARE STATUS DTD --> 


<!ELEMENT PCI SCAN SHARE STATUS (REOUEST?, RESPONSE) > 


<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 

<!EL ENT DATETIME (#PCDATA) > 

<!EL ENT USER LOGIN (#PCDATA) > 

<!ELEMENT RESOURCE (#PCDATA) > 

<!ELEMENT PARA | LIST (PARAM+) > 

<!ELEMENT PARA (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 

<!ELEMENT VALUE (#PCDATA) > 

<!-- if returned, POST DATA will be urlencoded --> 

<!ELEMENT POST DATA (#PCDATA) > 

<!EL T RESPONSE (SCAN) > 


N 
<!EL NT SCAN (MERCHANT USERNAME, SCAN REF, STATUS, LAST SHARED) > 
<!ELEMENT MERCHANT USERNAME (#PCDATA) > 
N 
N 


<!EL T SCAN REF (#PCDATA) > 
<!ELEMENT LAST SHARED (#PCDATA) > 
<!ELEMENT STATUS (#PCDATA) > 

<!-- EOF --> 


XPaths for PCI Scan Share Status Output 


This section describes the XPaths for the PCI scan share status output 
(pci_scan_share_status.dtd). 


XPath element specifications / notes 
/PCI_LSCAN_SHARE_STATUS (REQUEST?, RESPONSE 
/PCI_SCAN_SHARE_STATUS/REQUEST 


(DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA?) 
/PCILSCAN_SHARE_STATUS/REQUEST/DATETIME — (4PCDATA) 


The date and time of the request. 


/PCI SCAN SHARE STATUS/REOUEST/USER LOGIN  (#PCDATA) 


The user login ID of the user who made the request. 
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XPath element specifications / notes 
(PCI SCAN SHARE STATUS/REOUEST/RESOURCE (#PCDATA) 


The resource specified for the reguest. 
PCI SCAN SHARE STATUS/REOUEST/PARAM LIST (PARAM+) 


T 
Wn 
3 


at 


PCI_SCAN_SHARE_STATUS/REQUEST/PARAM_LIST/PARAM (KEY, VALUE) 


PCI SCAN SHARE STATUS/REOUEST/PARAM LIST/PARAM/KEY (#PCDATA) 


aS 


RS 


The input parameter name. 
(PCI SCAN SHARE STATUS/REOUEST/PARAM LIST/PARAM/VALUE — (4PCDATA) 


The input parameter value. 

/PCI SCAN SHARE, STATUS/REOUEST/POST DATA — (4PCDATA) 
The POST data, if any. 

PCI SCAN SHARE STATUS/RESPONSE (SCAN 

PCI SCAN SHARE. STATUS/RESPONSE/SCAN 

(MERCHANT. USERNAME, SCAN REF, STATUS, LAST. SHARED) 

(PCI SCAN SHARE STATUS/RESPONSE/SCAN/MERCHANT USERNAME (#PCDATA) 


The user name for a target PCI Merchant account. This account is 
ciated with a share PCI scan request. 


O 
/PCI_SCAN_SHARE_STATUS/RESPONSE/SCAN/SCAN_REF (#PCDATA) 


z 


SS 


m 


m 


The scan reference ID for the PCI scan associated. This PCI scan is 
associated with a share PCI scan reguest. 


(PCI SCAN SHARE STATUS/RESPONSE/SCAN/STATUS  (#PCDATA) 


m 


The share status of a share PCI scan request for a PCI Merchant account 
and a PCI scan: Oueued (reguest was received and sharing has not started 
yet), In Progress, Finished (request was successful and the scan was 
shared/exported to the PCI Merchant account successfully), or Error 


(request was not successful and the scan was not shared/exported). 
/PCI_SCAN_SHARE_STATUS/RESPONSE/SCAN/LAST_SHARED (#PCDATA) 


The most recent date and time of a share PCI scan request for a PCI 
Merchant account and a PCI scan. 
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KnowledgeBase Output 
API used 


<platform API server>/api/2.0/fo/knowledge_base/vuln/?action=list 


DTD for KnowledgeBase Output 


<platform API server>/api/2.0/fo/knowledge_base/vuln/ 
knowledge_base_vuln_list_output.dtd 


A recent DTD is shown below. 


<!-- QUALYS KNOWLEDGE BASE VULN LIST OUTPUT DTD --> 
<!ELEMENT KNOWLEDGE BASE VULN LIST OUTPUT (REQUEST?, RESPONSE) > 


<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 
<!ELEMENT DATETIME (#PCDATA) > 
<!ELEMENT USER LOGIN (#PCDATA) > 
<!ELEMENT RESOURCE (#PCDATA) > 
<!ELEMENT PARAM LIST (PARAM+) 
<!ELEMENT PARAM (KEY, VALUE 
<!ELEMENT KEY (#PCDATA) > 
<!ELEMENT VALUE (#PCDATA) > 
<!-- if returned, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 


U 


<!ELEMENT RESPONSE (DATETIME, (VULN LISTIID SET)?, WARNING?) > 
<!-- DATETIME already defined --> 
<!ELEMENT VULN LIST (VULN*)> 
<!ELEMENT VULN (QID, VULN TYPE, SEVERITY LEVEL, TITLE, CATEGORY?, 
DETECTION INFO?, LAST CUSTOMIZATION?, 
LAST SERVICE MODIFICATION DATETIME?, PUBLISHED DATETIME, 
BUGTRAQ LIST?, PATCHABLE, SOFTWARE LIST?, VENDOR REFERENCE LIST?, 
CVE_LIST?, DIAGNOSIS?, DIAGNOSIS COMMENT?, CONSEQUENCE?, 
CONSEQUENCE COMMENT?, SOLUTION?, SOLUTION COMMENT?, COMPLIANCE LIST?, 
CORRELATION?, CVSS?, CVSS V3?, PCI_FLAG?, AUTOMATIC PCI FAIL?, 
PCI REASONS?, THREAT INTELLIGENCE?, SUPPORTED MODULES?, DISCOVERY, 
IS_DISABLED?, CHANGE LOG LIST? )> 


ID (#PCDATA) > 
N TYPE (#PCDATA) > 
l EVERITY LEVEL (#PCDATA)> 
<!ELEMENT TITLE (#PCDATA)> 
<!ELEMENT CATEGORY (#PCDATA)> 
<!ELEMENT DETECTION_INFO (#PCDATA)> 
<!ELEMENT LAST CUSTOMIZATION (DATETIME, USER LOGIN?)> 

<!-- USER LOGIN already defined (no USER LOGIN for OVAL Vulns) - 


N 

2 
n < O 

Q 


<!ELEMENT LAST SERVICE MODIFICATION DATETIME (#PCDATA) > 
<!ELEMENT PUBLISHED DATETIME (#PCDATA) > 
<!ELEMENT BUGTRAQ LIST (BUGTRAQ+)> 

<!ELEMENT BUGTRAQ (ID, URL)> 
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<! 


MW ALIAS?, 


<! 


IMPACT?, A 


!ELEME 
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PCDATA) > 

PCDATA) > 

(t PCDATA) > 
+) > 


PRODU 
VENDO 


IST (SOFTWAR 
E (PRODUCT, VI 
CT (#PCDATA) > 
R (#PCDATA) > 


H 
E, 
E 
B, 


NDOR) > 


DOR RE 


FERENCE LIST (VENDOR REFERENCE+) > 


VENDOR _ 


REFERENCE (ID, URL)> 


_LIST 
ENT CVE (ID 
D, URL alre 
NT DIAGNOSIS 


NT DIAGNOSIS CO 


(CVE +) > 

, URL)> 

ady defined --> 
(#PCDATA) > 

ENT (#PCDATA) > 


NT CONSEQUEN 


CE ( DATA) > 


NT 


CONSEQUEN 
SOLUTION 
UTION | 
COMPLIANC 


uN 
O 


CE. 
(#PC 
CO 


ENT ( 
DATA) > 

ENT (#PCDATA) > 
S 


PCDATA) > 


PLIA 


E LI (COMPLIANCE+) > 
NCE (TYPE, SECTION, DESCRIPTION) > 


E E 
SECTI 
DESCR 
ELATI 
XPLOIT 


(t PCDATA) > 

ON (#PCDATA) > 

IPTION (#PCDATA) > 
( 


ON PLOITS?, MALWARE?) > 


7 
tai 
U 


EXPLT 


ENT EXP 


ENT SRC NAI 


S (EXPLT SRC+)> 
SRC (SRC NAME, 
(#PCDATA) > 

T T+) > 


EXPLT LIST)> 


EMENT E 


XPLT F, DESC, LINK?)> 


<!ELEMENT 


LT_LISI 
( 
( 


DATA) > 


<!ELEMENT 


PCDATA) > 


<!ELEMENT 


PCDATA) > 


<! 


ELEMENT MALWARE 
<!ELEMENT MW_SR 
<!ELEMENT MW_ 


(MW SRC+) > 
C (SRC NAME, MW LIST)> 
LIST (MW INFO+) > 


<!ELEMENT 

MW RATING?, MW L 
<!ELEMENT 
<!ELEMENT 
<!ELEMENT 
<!ELEMENT 
<!ELEMENT 
<!ELEMENT 


El 


W INFO (MW ID, MW_TYP 
INK?) > 
W ID (#PCDATA) > 

YPE (#PCDATA) > 
LATFORM (#PCDATA) > 
LIAS (#PCDATA) > 
ATING (#PCDATA) > 
INK (#PCDATA) > 


DH 


E: 
R 


= 


ELEMENT CVSS (BAS 
UTHENTICATION?, 
PLOITABILITY?, 
ENT BASE ( 
LIST BASE 


T 


2, TEMPORAL?, VECTOR STRING?, ACC 


2, MW PLATFORM?, 


REMEDIATION LEVEL?, 


REPORT CONFIDENC 


PCDATA) > 
source CDATA +1 


ENT TEMPORA 
ENT VECTOR _ 


y (#PCDATA) > 
STRING (#PCDATA) > 


ENT ACCESS 


(VECTOR?, COMPLEXITY?) > 


!ELEMENT VECTO 
¡ELEMENT COMPL 
ENT IMPACT 


R (#PCDATA) > 
EXITY (#PCDATA) > 
(CONFIDENTIALITY?, 


INTEGRITY ?, 
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AVAILABILITY?) > 


<= 


¡ELEMENT AUTHENTICATION ( 
!ELEMENT EXPLOITABILITY ( 
ELEMENT REM ie F 
! ELEMENT REPORT CONFIDENCE 


<!ELEMENT CONFIDENTIALITY 
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(# PCDATA) > 


<!ELEMENT INTEGRITY (#PCDATA) > 


<!ELEMENT AVAILABILITY ( 


T 


DIATION LEVEL 


<!ELEMENT CVSS V3 (BASE?, TE 
IMPACT?, PRI 


REPORT CONFI 


PCDATA) > 
PCDATA) > 
> 


z 


PORAL?, VI 


VILEGES REOUIRED?, USER INTERACT 


DENCE?) > 


<!E 


EMENT ATTACK (VECTOR?, CO 


<!E 


EMENT PRIVILEGES REOUIRED 


<!E 


EMENT USER INTERACTION (+ 


<!E 


EMENT SCOPE (#PCDATA)> 


<!E 


<!E 


EMENT PCI FLAG (#PCDATA) > 


<!E 


EMENT AUTOMATIC PCI FAIL 


<!E 


EMENT PC 


<!E 


PLEXITY?) > 
(# PCDATA) > 


PCDATA) > 


(#PCDATA) > 


EASONS (PCI REASON+) > 
EASON (#PCDATA) > 


PION?, 
EXPLOIT CODE MATURITY?, REMEDIATION L 
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CTOR_STRING?, ATTACK?, 
SCOP 


a 
E?, 


EVEL?, 


EMENT EXPLOIT CODE MATURITY (#PCDATA) > 


<!EL 


EL+) > 


EAT INTELLIGENCE 


<!EL 


<!AT 


TLIST TH 


EAT INTEL 
ATA #REQUIRED> 


<!EL 


EMENT SU 


<!EL 


<!ELEMEN 
<= oT 


!ELEMENT CHANGE LOG INFO (CHANGE DATE 
<!ELEMENT CHANGE DATE (#PCDATA) > 
ENTS (#PCDATA) > 


I 

I 

R (THREAT_INT 
EMENT THREAT INTEL (#PCDATA)> 

R 

D 

P 


PORTED MODULES (#PCDATA) > 


<!ELEMENT AUTH TYPE (#PCDATA) > 

¡ELEMENT ADDITIONAL INFO (#PCDATA) > 
EMENT IS DISABLED (#PCDATA) > 
EMENT CHANGE LOG LIST (CHANGE LOG INFO+) > 


EMENT DISCOVERY (REMOTE, AUTH TYPE LIST?, ADDITIONAL INFO?) > 
¡ELEMENT REMOTE (#PCDATA) > 
¡ELEMENT AUTH TYPE LIST (AUTH TYPE+) > 


COMM 


ENTS) > 


T ID SET ((ID|ID RANGE) +) > 


D already defined --> 


ENT ID RANGE (#PCDATA) > 


<!ELEMEN 


T WARNING (CODE?, TEXT, URL?)> 


<!ELE 


ENT CODE (#PCDATA) > 


<!ELE 


<!-- U 


EOF --> 


ENT TEXT (#PCDATA) > 
RL already defined --> 
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XPaths for KnowledgeBase Output 


XPath 


element specifications / notes 


/ 


EOUEST?, RESPONSE) 


/ EST 
ER LOGIN, RESOURCE, PARAM LIST?, POST DATA?) 
/ EST/DATETIME — (*PCDATA) 


ime of the API request. (This element appears only when the 
udes the parameter echo_request=1.) 


EST/USER LOGIN (#PCDATA) 


D ofthe user who made the reguest. (Thi 
y when the API reguest includes the parameter echo reguest=1.) 


s element appears 


EST/RESOURCE  (#PCDATA) 


resource specified for the reguest. (This element appears only when 
the API reguest includes the parameter echo reguest=1.) 


EST/PARAM LIST  (PARAM+)) 


EST/PARAM LIST/PARAM (KEY, VALUE) 


EST/PARAM LIST/PARAM/KEY (#PCDATA) 


input parameter name. (This element appears only when the API 
udes the parameter echo reguest=1.) 


EST/PARAM LIST/PARAM/VALUE  (#PCDATA) 


meter value. This element appears only when the API reguest 
arameter echo reguest=1. 


EST/POST DATA  (#PCDATA) 


if any. (This element appears only when the API request 
he parameter echo reguest=1.) 


ESPONSE 
, (VULN_LIST|ID_SET)?, WARNING?) 


ESPONSE/DATETIME (#PCDATA) 


ate and time of the Qualys response. 


SS) 


ESPONSE/VULN_LIST (VULN+) 


= 


ESPONSE/VULN_LIST/VULN 


LN_TYPE, SEVERITY_LEVEL, TITLE, CATEGORY, DETECTION_INFO?, 
LAST_CUSTOMIZATION?, LAST_SERVICE_MODIFICATION_DATETIME?, 
D_DATETIME, BUGTRAO LIST?, PATCHABLE, SOFTWARE LIST?, 
REFERENCE LIST?, CVE. LIST?, DIAGNOSIS?, 
S COMMENT?, CONSEOUENCE?, CONSEOUENCE. COMMENT ?, 
SOLUTION?, SOLUTION. COMMENT?, COMPLIANCE_LIST?, 

TION?, CVSS?, CVSS V3?, PCI FLAG?, AUTOMATIC PCI FAIL?, 
PCI REASONS?, THREAT_INTELLIGENCE?, SUPPORTED MODULES?, 

YY, IS DISABLED?, CHANGE LOG LIST?) 


(KNOWLEDGE BASE VULN LIST. 


RESPONSE/VULN_LIST/VULN/QID (#PCDATA) 
vulnerability OID (Oualys ID) 


assigned by the service. 


(KNOWLEDGE BASE VULN LIS 
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The vulnerability type: Vulnerability, Potential Vulnerability or Information 
Gathered. The type “Vulnerability or Potential Vulnerability” corresponds to 
the halfred/half yellow icon in the OualyGuard user interface. If confirmed 
to exist on a host during a scan, the vulnerability is classified as a 
confirmed vulnerability in your account; if not the vulnerability is classified 
as a potential vulnerability in your account. 


(KNOWLEDGE. BASE VULN LIST OUTPUT/RESPONSE/VULN LIST/VULN/SEVERITY LEVEL (#PCDATA) 


The severity level of the vulnerability. A valid value for a confirmed or 
potential vulnerability is an integer 1 to 5, where 5 represents the most 
serious risk if exploited. A valid value for information gathered is a value 1 
to 3, where 3 represents the most serious risk if exploited. 


(KNOWLEDGE. BASE VULN LIST OUTPUT/RESPONSE/VULN LIST/VULN/TITLE (#PCDATA) 
The vulnerability title. 
(KNOWLEDGE BASE VULN LIST. OUTPUT/RESPONSE/VULN LIST/VULN/CATEGORY  (#PCDATA) 
The vulnerability category. 


(KNOWLEDGE. BASE VULN LIST. OUTPUT/RESPONSE/VULN LIST/VULN/ 
LAST. CUSTOMIZATION (DATETIME, USER LOGIN) 


The date this vulnerability was last customized by a user, in YYYY-MM- 
DDTHH:MM:SSZ format (UTC/GMT). 


/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
LAST_SERVICE_MODIFIDATION_DATETIME (#PCDATA) 


The date this vulnerability was last updated by the service, in YYYY-MM- 
DDTHH:MM:SSZ format (UTC/GMT). 


/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
PUBLISHED DATETIME (#PCDATA) 


The date this vulnerability was published by the service, in YYYY-MM- 
DDTHH:MM:SSZ format (UTC/GMT). 
/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
BUGTRAO LIST (BUGTRAQ+) 
(KNOWLEDGE. BASE VULN LIST. OUTPUT/RESPONSE/VULN LIST/VULN/ 
BUGTRAO LIST/BUGTRAO (ID, URL 
/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
BUGTRAO LIST/BUGTRAO/ID  (#PCDATA) 
A Bugtrag ID for a vulnerability. 
BASE. VULN LIST. OUTPUT/RESPONSE/VULN LIST/VULN/ 


los) Ss 
AN 
2 
O 
< 
C 
to 
J 
a 


a Bugtraq ID. 


to 
/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
PATCHABLE  (#PCDATA) 


A flag indicating whether there is a patch available to fix the vulnerability. 
The value 1 indicates a patch is available to fix the vulnerability. The value 
O indicates a patch is not available to fix the vulnerability. 
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(KNOWLEDGE BASE VULN LIS 
SOFTWARE LIST 


(SOFTWARE+) 


OUTPUT/RESPONSE/VULN_L 


ST/VULN/ 


/KNOWLEDGE_BASE_VULN_LIS 


SOFTWAR 


E_LIST/SOFTWARE 


PRODUCT, VENDOR) 


OUTPUT/RESPONSE/VULN_L 


ST/VULN/ 


/KNOWLEDGE_BASE_VULN_LIS 
SOFTWARE_LIST/SOFTWARE/PRODUCT 


Software product information a 


(#PCDATA\ 


OUTPUT/RESPONSE/VULN_L 


) 


ST/VULN/ 


ssociated with the vulnerability. This 


information is provided by NIST as a part of CVE information. (This 


element appears only when the 


details=All.) 


API request includes the parameter 


/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_L 
SOFTWARE_LIST/SOFTWARE/VENDOR 


#PCDATA) 


Software vendor information 


information is provided by N 
element appears only whe 


ST/VULN/ 


associated with the vulnerability. This 
ST as a part of CVE information. (This 
n the API request includes the parameter 


details=All.) 

(KNOWLEDGE. BASE. VULN. LIST. OUTPUT/RESPONSE/VULN. LIST/VULN/ 

VENDOR REFERENCE LIST (VENDOR, REFERENCE+) 

(KNOWLEDGE. BASE. VULN. LIST. OUTPUT/RESPONSE/VULN. LIST/VULN/ 

VENDOR. REFERENCE. LIST/VENDOR ID, URL) 

(KNOWLEDGE. BASE. VULN. LIST. OUTPUT/RESPONSE/VULN. LIST/VULN/ 

VENDOR REFERENCE LIST/VENDOR/ID  (#PCDATA 
A name of a vendor reference 

/KNOWLEDGE. BASE. VULN. LIST. OUTPUT/RESPONSE/VULN. LIST/VULN/ 

VENDOR REFERENCE. LIST/VENDOR/URL #PCDATA) 
The URL to a vendor reference 

/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 

CVE (ID, URL) 

/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 

CVE/ID #PCDATA) 
A CVE name assigned to the vulnerability. CVE (Common Vulnerabilities 
and Exposures) is a list of common names for publicly known 
vulnerabilities and exposures. Through open and collaborative discussions, 
the CVE Editorial Board determines which vulnerabilities or exposures are 
included in CVE. If the CVE name starts with CAN (candidate) then it is 
under consideration for entry into CVE. 

/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 

CVE/URL  (*PCDATA) 
The URL to a CVE name. 

/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 

DIAGNOSIS (#PCDATA) 


A service-provided 
successfully exploi 


descriptio 
ted. 


n of the threat posed by the vulnerability if 


/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONS 


DIAGNOSI 


S_COMMENT 


(4PCDATA) 


A user-customized 


E/VULN_L 


successfully exploited. 


ST/VULN/ 


description of the threat posed by the vulnerability if 
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/KNOWLEDGE BASE. VULN LIST. OUTPUT/RESPONSE/VULN. LIST/VULN/ 
CONSEQUENCE (4PCDATA) 


A service-provided description of the conseguences that may occur if this 
vulnerability is successfully exploited. 

(KNOWLEDGE. BASE VULN LIST. OUTPUT/RESPONSE/VULN LIST/VULN/ 

CONSEOUENCE COMMENT  (#PCDATA) 


A user-customized description of the conseguences that may occur if this 
vulnerability is successfully exploited. 


(KNOWLEDGE. BASE VULN LIST. OUTPUT/RESPONSE/VULN LIST/VULN/ 
SOLUTION (#PCDATA) 
A service-provided description of a verified solution to fix the vulnerability. 
(KNOWLEDGE BASE. VULN. LIST. OUTPUT/RESPONSE/VULN. LIST/VULN/ 
SOLUTION COMMENT (#PCDATA' 
A user-customized description of a verified solution to fix the vulnerability. 
(KNOWLEDGE. BASE VULN LIST. OUTPUT/RESPONSE/VULN LIST/VULN/ 
COMPLIANCE LIST (COMPLIANCE+) 
(KNOWLEDGE. BASE VULN LIST. OUTPUT/RESPONSE/VULN. LIST/VULN/ 
COMPLIANCE LIST (TYPE, SECTION, DESCRIPTION) 
(KNOWLEDGE. BASE VULN LIST. OUTPUT/RESPONSE/VULN  LIST/VULN/ 
COMPLIANCE LIST/TYPE (#PCDATA) 
A type of a compliance information associated with the vulnerability: 


HIPAA, GLBA, CobIT or SOX. 


/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
COMPLIANCE LIST/SECTION (#PCDATA) 
A sectio a compliance policy or regulation. 


no 
KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
_LIST/DESCRIPTION (#PCDATA) 


A description of a compliance policy or regulation. 


BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
ORRELATION (EXPLOITS?, MALWARE? 


G 
/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
CORRELATION/EXPLOITS (EXPL_SRC+) 


The <EXPLOITS> element and its sub-elements appear only when there is 
exploitability information for the vulnerability from third party vendors 
and/or publicly available sources. 


/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
CORRELATION/EXPLOITS/EXPL SRC (SRC NAME, EXPLT LIST) 


(KNOWLEDGE. BASE VULN LIST. OUTPUT/RESPONSE/VULN LIST/VULN/ 
CORRELATION/EXPLOITS/EXPL SRC/SRC NAME (#PCDATA) 


A name ofa third party vendor or publicly available source whose 
exploitability information is correlated with the vulnerability. 
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(KNOWLEDGE BASE VULN LIST OUTPUT/RESPONSE/VULN LIST/VULN/ 
CORRELATION/EXPLOITS/EXPL_SRC/EXPLT_LIS (EXPLT+) 
/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
CORRELATION/EXPLOITS/EXPL_SRC/EXPLT_LIST/EXPL (REF, DESC, LINK?) 
/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
CORRELATION/EXPLOITS/EXPL_SRC/EXPLT_LIST/EXPLT/REF #PCDATA) 
A CVE reference for the exploitability information. 
/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
CORRELATION/EXPLOITS/EXPL SRC/EXPLT LIST/EXPLI/DESC  (*PCDATA) 
A description of the exploitability information provided by the source (third 
party vendor or publicly available source). 
/KNOWLEDGE BASE. VULN. LIST. OUTPUT/RESPONSE/VULN. LIST/VULN/ 
CORRELATION/EXPLOITS/EXPL SRC/EXPLT LIST/EXPLI/LINK — (4PCDATA) 
A link to the exploit for the vulnerability, when available from the source. 
(KNOWLEDGE BASE VULN LIST OUTPUT/RESPONSE/VULN LIST/VULN/ 
MALWARE (MW SRC+ 
The <MALWARE> element and its sub-elements appear only when there is 
malware information for the vulnerability from Trend Micro. 
(KNOWLEDGE BASE. VULN. LIST. OUTPUT/RESPONSE/VULN. LIST/VULN/ 
MALWARE/MW SRC (SRC NAME, MW LIST) 
(KNOWLEDGE. BASE. VULN. LIST. OUTPUT/RESPONSE/VULN. LIST/VULN/ 
MALWARE/MW. SRC/SRC NAME — (4PCDATA) 
The name ofthe source of the malware information: Trend Micro. 
(KNOWLEDGE BASE VULN. LIST. OUTPUT/RESPONSE/VULN. LIST/VULN/ 
MALWARE/MW. SRC/MW LIST (MW INFO+) 
(KNOWLEDGE BASE VULN LIST OUTPUT/RESPONSE/VULN LIST/VULN/ 
MALWARE/MW. SRC/MW LIST/MW INFO 
(MW. ID, MW. TYPE?, MW. PLATFORM?, MW. ALIAS?, MW. RATING?, 
MW. LINK?) 
KNOWLEDGE. BASE VULN LIST OUTPUT/RESPONSE/VULN LIST/VULN/ 
MALWARE/MW_SRC/MW_LIST/MW_INFO/MW_ID  (*PCDATA 
A malware name/ID assigned by Trend Micro. 
/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
MALWARE/MW_SRC/MW_LIST/MW_INFO/MW_TYPE — (4PCDATA) 
A type of malware, such as Backdoor, Virus, Worm or Trojan. 
(KNOWLEDGE BASE. VULN. LIST. OUTPUT/RESPONSE/VULN. LIST/VULN/ 
MALWARE/MW. SRC/MW LIST/MW INFO/MW. PLATFORM  (#PCDATA) 
A list of the platforms that may be affected. 
(KNOWLEDGE. BASE. VULN. LIST. OUTPUT/RESPONSE/VULN. LIST/VULN/ 
MALWARE/MW. SRC/MW LIST/MW INFO/MW ALIAS  (*PCDATA) 
A list of other names used by different vendors and/or publicly available 
sources that refer to the same threat. 
(KNOWLEDGE BASE VULN LIST OUTPUT/RESPONSE/VULN LIST/VULN/ 
MALWARE/MW. SRC/MW LIST/MW INFO/MW RATING  (*PCDATA) 


An overall risk rating as determined by Trend Micro: Low, Medium or High. 
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(KNOWLEDGE BASE VULN LIST OUTPUT/RESPONSE/VU 


MALWARE/MW. SRC/MW LIST/MW INFO/MW. LIN 


LN LIST 
K  (#PCDATA) 


A link to malware details. 


F/VULN/ 


(KNOWLEDGE. BASE VULN LIST. OUTPUT/RESPONSE/VU 
CVSS (BASE, TEMPORAL?, VECTO 
AUTHENTICATION?, EX 
REPORT. CONFIDENCE? 


LN LIST 


F/VULN/ 
R. STRING?, ACCESS?, IMPACT?, 
PLOITABILITY?, REMEDIATION. LEVEL?, 


CVSS2 subelements fo 
Scoring feature is turned on 
includes the parameter detai 


CVSS Sub Metrics appear only when the CVSS 
in the user’s subscription and the API request 
1s=All.) 


(KNOWLEDGE BASE. VULN LIST. OUTPUT/RESPONSE/V 


CVSS base score assigned to 


ULN LIST/VULN/CVSS BASE  (*PCDATA) 


the vulnerability. 


attribute: source source is implied 
score for the vuln 


CVSS base score provided by 


and, 
erabi 


if present, is “service” to indicate that the CVSS base 
ity is supplied by Oualys. The service displays a 


IST whenever available. In a case where NIST 
lists a CVSS base score of 0 or does not provide a score for a vulnerability in 


the NVD, the service determines whether the severity of the vulnerability 

warrants a higher CVSS base score. 
(KNOWLEDGE. BASE VULN LIST OUTPUT/RESPONSE/VULN LIST/VULN/CVSS/TEMPORAL (#PCDATA) 

CVSS2 temporal score. 
/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/CVSS/VECTOR_STRING 
(#PCDATA 

CVSS scores of individual metrics. See “CVSS Sub Metrics Mapping” below. . 
/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
CVSS/ACCESS (VECTOR?, COMPLEXITY?) 
/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
CVSS/ACCESS/VECTOR (#PCDATA) 

CVSS access vector metric. See “CVSS Sub Metrics Mapping” below. 
/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
CVSS/ACCESS/COMPLEXITY (#PCDATA) 

CVSS access complexity metric. See “CVSS Sub Metrics Mapping” below. 
/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
CVSS/IMPACT (CONFIDENTIALITY?, INTEGRITY?, AVAILABILITY?) 
/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
CVSS/IMPACT/CONFIDENTIALITY (#PCDATA) 

CVSS confidentiality impact metric. See “CVSS Sub Metrics Mapping” below. 
/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
CVSS/IMPACT/INTEGRITY — (#PCDATA) 

CVSS integrity impact metric. See “CVSS Sub Metrics Mapping” below. 
/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
CVSS/IMPACT/AVAILABILITY (#PCDATA 

CVSS availability impact metric. See “CVSS Sub Metrics Mapping” below. 
/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 
CVSS/AUTHENTICATION (#PCDATA) 

CVSS authentication metric. See “CVSS Sub Metrics Mapping” below. 
/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 


CVSS/EXPLOITABILITY (#PCDATA 
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CVSS exploitability metric. See “CVSS Sub Metrics Mapping” below. 


/KNOWLEDGE. BASE. VULN  LIS 


OUTPUT/RESPONSE/VULN LIST/VULN/ 
CVSS/REMEDIATION LEVEL (#PCDATA) 


CVSS remediation level metric. See “CVSS Sub Metrics Mapping” below. 


/KNOWLEDGE. BASE. V 
CVSS/REPORT_CONFID 


S 


mG 
t 
Z 
E 


(PCDATA 


OUTPUT/RESPONSE/VULN_LIST/VULN/ 


CVSS report confidence metric. See “CVSS Sub Metrics Mapping” below. 


/KNOWLEDGE_BASE_VULN_LIS 


CVSS_V3 


OUTPUT/RESPONSE/VULN_LIST/VULN/ 


(BASE, TEMPORAL?,VECT 


OR. STRING?, ATTACK?,IMPACT?, 


PRIVILEGES REOUIRED? USER. INTERACTION?,SCOPE?, 
EXPLOIT. CODE MATURITY?,REMEDIATION. LEVEL?, 


REPORT. CONFIDENCE?) 


CVSS3 subelements for CVSS Sub Metrics appear only when the CVSS 


Scoring feature is turned 


on in the user’s subscription and the API request 


includes the parameter details=All.) 


/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 


PCI FLAG (#PCDATA) 


A flagindicating whether 
compliance. The value 1 i 


the vulnerability must be fixed to pass PCI 
ndicates the vulnerability must be fixed to pass 


PCI compliance. The value O indicates the vulnerability does not need to be 


fixed to pass PCI complia 


nce. 


(KNOWLEDGE BASE VULN LIS 


This flagi 


n 


for internal use only. 


OUTPUT/RESPONSE/VULN_LIST/VULN/ 
AUTOMATIC PCI FAIL (#PCDATA) 


/KNOWLEDGE_BASE_VULN_LIS 


PCI REASONS  (PCI_REASON+ 


OUTPUT/RESPONSE/VULN_LIST/VULN/ 


/KNOWLEDGE_BASE_VULN_LIS 


OUTPUT/RESPONSE/VULN_LIST/VULN/ 
PCI REASONS/PCI REASON  (#PCDATA) 


A reason why the vulnerability passed or failed PCI compliance. This 
appears only when the CVSS Scoring feature is turned on in the user's 
subscription and the API reguest includes the parameter 


show. pci reasons=1. 


(KNOWLEDGE BASE VULN LIS 


OUTPUT/RESPONSE/VULN_LIST/VULN/ 
THREAT_INTELLIGENCE (THREAT_INTEL+ 


/KNOWLEDGE_BASE_VULN_LIS 


attribute: id 


Qualys Real-Time Threat 


id is required and is a refe 
Real-Time Threat Indicator (RTI). 


OUTPUT/RESPONSE/VULN_LIST/VULN/ 
THREAT_INTELLIGENCE/THREAT_INTEL 


ndicators (RTIs) associated with the vulnerability. 
rence ID (CDATA) that corresponds to a Qualys 


/KNOWLEDGE_BASE_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/VULN/ 


SUPPORTED_MODULES (#PCDATA) 


One or more Qualys modules that can be used to detect the vulnerability. 
This appears only when the API request includes the parameter 
show_supported_modules_info=1. 


/KNOWLEDGE_BASE_VULN_LIS 


DISCOVERY 


OUTPUT/RESPONSE/VULN_LIST/VULN/ 


(REMOTE, AUTH TYPE 


LIST?)) 


(KNOWLEDGE BASE. VULN LIS 


DISCOVERY/REMOTE 


(#PCDATA) 
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A flagindicating whether the discovery method is remotely detectable. The 
value 0 indicates the vulnerability cannot be detected remotely 
(authentication is required). The value 1 indicates the vulnerability can be 


detected in tw 


using authenti 


o ways: 1) remotely without using authentication, and 2) 


cation. 


DGE_BASE_VULN_LIS 


DISCOVERY/AU 


(AUTH_TYPE+ 


OUTPUT/RESPONSE/VULN_LIST/VULN/ 


DISCOVERY/AU'I 


OUTPUT/RESPONSE/VULN_LIST/VULN/ 


[/AUTH TYPE (t 


PCDATA) 


An authentication type used to detect the vulnerability using trusted 


scanning. 


UT/RESPONSE/VULN_LIST/VULN/IS_DISABLED (#PCDATA) 


ndicating whether the vulnerability is disabled. A value of 1 means it 
bled. A value of 0 means it is not disabled. 


/RESPONSE/VULN_LIST/VULN/ 


U 

F 
UT/RESPONSE/VULN_LIST/VULN/ 
O (CHANGE DATE, COMMENTS) 


E 
OUTPUT/RESPONSE/VULN_LIST/VULN/ 
G_INFO/CHANGE_DATE — (*PCDATA) 


The date of a QID change. 


OUTPUT/RESPONSE/VULN_LIST/VULN/ 
_LIST/CHANGE_LOG_INFO/COMMENTS — (#PCDATA) 


Comments provided at the time of the QID change. 
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A mapping of the CVSS v2 and v3 sub metric values, as returned in the KnowledgeBase 
output, and the CVSS v2 and v3 sub metric names, as defined by the CVSS standard, is 
provided below. 


CVSS v2: Base Family 


KnowledgeBase Output 


Metric Value XML Element and Value 

Access Vector (AV) 

Local (L) <VECTOR>1</VECTOR> 

Adjacent Network (A) <VECTOR>2</VECTOR> 

Network (N) <VECTOR>3</VECTOR> 

Access Complexity 

Low (L) <COMPLEXITY>1</COMPLEXITY> 

Medium (M) <COMPLEXITY>2</COMPLEXITY> 

High (H) <COMPLEXITY>3</COMPLEXITY> 
Authentication (Au) 

None (N) <AUTHENTICATION>1</AUTHENTICATION> 
Single (S) <AUTHENTICATION>2</AUTHENTICATION> 
Multiple (M) <AUTHENTICATION>3</AUTHENTICATION> 
Confidentiality Impact (C) 

None (N) <CONFIDENTIALITY>1</CONFIDENTIALITY> 
Partial (P) <CONFIDENTIALITY>2</CONFIDENTIALITY> 
Complete (C) <CONFIDENTIALITY>3</CONFIDENTIALITY> 
Integrity Impact (I) 

None (N) <INTEGRITY>1</INTEGRITY> 

Partial (P) <INTEGRITY>2</INTEGRITY> 

Complete (C) <INTEGRITY>3</INTEGRITY> 

Availability Impact (A) 

None (N) <AVAILABILITY>1</AVAILABILITY> 

Partial (P) <AVAILABILITY>2</AVAILABILITY> 
Complete (C) <AVAILABILITY>3</AVAILABILITY> 
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CVSS v2: Temporal Metrics Family 


KnowledgeBase Download 


Metric Value XML Element and Value 

Exploitability (E) 

Not Defined (ND) <EXPLOITABILITY>0</EXPLOITABILITY> 

Unproven (U) <EXPLOITABILITY>1</EXPLOITABILITY> 
Proof-of-Concept (POC) <EXPLOITABILITY>2</EXPLOITABILITY> 

Functional (F) <EXPLOITABILITY>3</EXPLOITABILITY> 

High (H) <EXPLOITABILITY>4</EXPLOITABILITY> 
Remediation Level (RL) 

Not Defined (ND) <REMEDIATION_LEVEL>0</REMEDIATION_LEVEL> 
Official Fix (OF <REMEDIATION_LEVEL>1</REMEDIATION_LEVEL> 
Temporary Fix (TF) <REMEDIATION_LEVEL>2</REMEDIATION_LEVEL> 
Workaround (W) <REMEDIATION_LEVEL>3</REMEDIATION_LEVEL> 
Unavailable (U) <REMEDIATION_LEVEL>4</REMEDIATION_LEVEL> 
Report Confidence (RC) 

Not Defined (ND) <REPORT_CONFIDENCE>0</REPORT_CONFIDENCE> 
Unconfirmed (UC) <REPORT_CONFIDENCE>1</REPORT_CONFIDENCE> 
Uncorroborated (UR) <REPORT_CONFIDENCE>2</REPORT_CONFIDENCE> 
Confirmed (C) <REPORT_CONFIDENCE>3</REPORT_CONFIDENCE> 
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CVSS v3: Base Family 


KnowledgeBase Output 


Metric Value XML Element and Value 

Attack Vector (AV) 

Network (N) <VECTOR>1</VECTOR> 

Adjacent Network (A) <VECTOR>2</VECTOR> 

Local (L) <VECTOR>3</VECTOR> 

Physical (P) <VECTOR>4</VECTOR> 

Attack Complexity (AC) 

Low (L) <COMPLEXITY>1</COMPLEXITY> 

High (H <COMPLEXITY>2</COMPLEXITY> 

Privileges Required (PR) 

None (N) <PRIVILEGES_REQUIRED>1</PRIVILEGES_REQUIRED> 
Low (L) <PRIVILEGES_REQUIRED>2</PRIVILEGES_REQUIRED> 
High (H <PRIVILEGES_REQUIRED>3</PRIVILEGES_REQUIRED> 
User Interaction (UI) 

None (N) <USER_INTERACTION>1</USER_INTERACTION> 
Required (R) <USER_INTERACTION>2</USER_INTERACTION> 
Scope 

Unchanged (U) <SCOPE>1</SCOPE> 

Changed (C) <SCOPE>2</SCOPE> 

Confidentiality Impact (C) 

None (N) <CONFIDENTIALITY>1</CONFIDENTIALITY> 
Low (L) <CONFIDENTIALITY>2</CONFIDENTIALITY> 
High (H <CONFIDENTIALITY>3</CONFIDENTIALITY> 
Integrity Impact (1) 

None (N) <INTEGRITY>1</INTEGRITY> 

Low (L) <INTEGRITY>2</INTEGRITY> 

High (H <INTEGRITY>3</INTEGRITY> 

Availability Impact (A) 

None (N) <AVAILABILITY>1</AVAILABILITY> 

Low (L) <AVAILABILITY>2</AVAILABILITY> 

High (H <AVAILABILITY>3</AVAILABILITY> 
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CVSS v3: Temporal Metrics Family 


KnowledgeBase Download 


Metric Value XML Element and Value 

Exploit Code Maturity (E) 

Not Defined (X) <EXPLOIT_CODE_MATURITY>0</EXPLOIT_CODE_MATURITY> 
Unproven (U) <EXPLOIT_CODE_MATURITY>1</EXPLOIT_CODE_MATURITY> 
Proof-of-Concept (P) <EXPLOIT_CODE_MATURITY>2</EXPLOIT_CODE_MATURITY> 
Functional (F) <EXPLOIT_CODE_MATURITY>3</EXPLOIT_CODE_MATURITY> 
High (H) <EXPLOIT_CODE_MATURITY>4</EXPLOIT_CODE_MATURITY> 


Remediation Level (RL) 


Not Defined (X) <REMEDIATION_LEVEL>0</REMEDIATION_LEVEL> 
Official Fix (O) <REMEDIATION_LEVEL>1</REMEDIATION_LEVEL> 
Temporary Fix (T) <REMEDIATION_LEVEL>2</REMEDIATION_LEVEL> 
Workaround (W) <REMEDIATION_LEVEL>3</REMEDIATION_LEVEL> 
Unavailable (U) <REMEDIATION_LEVEL>4</REMEDIATION_LEVEL> 
Report Confidence (RC) 

Not Defined (X) <REPORT_CONFIDENCE>0</REPORT_CONFIDENCE> 
Unknown (U) <REPORT_CONFIDENCE>1</REPORT_CONFIDENCE> 
Reasonable (R) <REPORT_CONFIDENCE>2</REPORT_CONFIDENCE> 
Confirmed (C) <REPORT_CONFIDENCE>3</REPORT_CONFIDENCE> 
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Customized Vulnerability List Output 
API used 


<platform API server>/api/2.0/fo/knowledge_base/vuln/?action=custom 


DTD for Vulnerability List Output 


<platform API server>/api/2.0/fo/knowledge_base/vuln/ 
kb_custom_vuln_list_output.dtd 


A recent DTD is shown below. 


<!-- QUALYS KB CUSTOM VULN LIST OUTPUT DTD --> 


<!ELEMENT KB CUSTOM VULN LIST OUTPUT (REQUEST?,RESPONSE) > 


<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 


<!ELEMENT DATETIME (#PCDATA) > 
<!ELEMENT USER LOGIN (#PCDATA) > 
<!ELEMENT RESOURCE (#PCDATA)> 
MENT PARAM LIST (PARAM+) > 
MENT PARAM (KEY, VALUE) > 
<!ELEMENT KEY (#PCDATA) > 
M 
i 
M 


ENT VALUE (#PCDATA)> 
if returned, POST_DATA will be urlencoded --> 
ENT POST DATA (#PCDATA) > 


<!ELEMENT RESPONSE (DATETIME, (CUSTOM VULN LIST) ?, WARNING?) > 
<!-- DATETIME already defined --> 
<!ELEMENT CUSTOM VULN LIST (CUSTOM VULN DATA*) > 
<!ELEMENT CUSTOM VULN DATA (QID, SEVERITY LEVEL, ORIGINAL SEVERITY LEVEL, 
IS DISABLED, UPDATED DATETIME, UPDATED BY, THREAT COMMENT?, 

IMPACT COMMENT?, SOLUTION COMMENT?) > 


<!ELEMENT OID (#PCDATA) > 
<!ELEMENT ORIGINAL SEVERITY LEVEL (#PCDATA) > 
<!ELEMENT SEVERITY LEVEL (#PCDATA) > 
<!ELEMENT UPDATED DATETIME (#PCDATA) > 
<!ELEMENT THREAT COMMENT (#PCDATA) > 

PACT COMMENT (#PCDATA) > 


OLUTION COMMENT (#PCDATA) > 
S DISABLED (#PCDATA) > 
PDATED BY (#PCDATA) > 


A 
Zz 
G H uU H HG U 


TEXT, URL?)> 


ENT WARNING (CODE? 
ENT CODE (#PCDATA) 
ENT TEXT (#PCDATA) 
ENT URL (#PCDATA)> 
<!-- URL already defined --> 
<!-- EOF ==> 


1 
> 
> 


58 


Gualys API (VM, PC) XML/DTD Reference 
Chapter 2 - Scans XML 


XPaths for Vulnerability List Output 


XPath element specifications / notes 
[KB CUSTOM VULN LIST OUTPU (REOUEST?, RESPONSE) 
/KB. CUSTOM VULN LIST. OUTPUT/REOUEST 


U 
(DATETIME, USER. LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 
/KB CUSTOM. VULN LIST OUTPUT/REOUEST/DATETIME (#PCDATA) 


he date and time of the API request. (This element appears only when the 
API request includes the parameter echo_request=1.) 


/KB_CUSTOM_VULN_LIST_OUTPUT/REQUEST/USER_LOGIN (#PCDATA) 


The Qualys! login ID of the user who made the request. (This element 
appears only when the API request includes the parameter 
echo_request=1..) 


/KB_CUSTOM_VULN_LIST_OUTPUT/REQUEST/RESOURCE (#PCDATA) 


The resource specified for the request. (This element appears only when 
the API request includes the parameter echo_request=1..) 

/KB CUSTOM. VULN LIST OUTPUT/REOUEST/PARAM LIST  (PARAM?)) 

/KB CUSTOM V _OUTPUT/REQUEST/PARAM_LIST/PARAM (KEY, VALUE)) 
/KB_CUSTOM_VULN_L 


_OUTPUT/REQUEST/PARAM_LIST/PARAM/KEY — (4PCDATA) 
n 


G 
E 
Z 
E 


un 


input parameter name. (This element appears only when the API 
equest includes the parameter echo_request=1..) 


/KB_CUSTOM_VULN_LIST_OUTPUT/REQUEST/PARAM_LIST/PARAM/VALUE — (4PCDATA) 
n 


An input parameter value. This element appears only when the API reguest 
includes the parameter echo reguest=1.. 


/KB. CUSTOM. VULN LIST. OUTPUT/REOUEST/POST. DATA — (4PCDATA) 


The POST data, if any. (This element appears only when the API reguest 
includes the parameter echo reguest=1..) 


(KNOWLEDGE BASE VULN LIST OUTPUT/RESPONSE 

DATETIME, (CUSTOM. VULN LIST)?, WARNING?) 

/KB. CUSTOM. VULN. LIST. OUTPUT/RESPONSE/DATETIME (#PCDATA) 

The date and time of the Qualys response. 

/KB CUSTOM VULN LIST OUTPUT/RESPONSE/CUSTOM VULN LIST (CUSTOM VULN. DATA*) 
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/KB. CUSTOM VULN LIST. OUTPUT/RESPONSE/VULN LIS 


/CUS 


OM. VU 


LN DATA 


(QID, SEVERITY. LEVEL, ORIGINAL SEVERITY. LEVEL, IS. DISABLED, 


UPDATED DATETIME, UPDATED BY, THREAT. COMMENT ?, 
IMPACT. COMMENT?, SOLUTION. COMMENT?) 
/KB CUSTOM. VULN. LIST OUTPUT/RESPONSE/VULN LIST/CUSTOM VULN DATA/OID — (*PCDATA) 
The vulnerability OID assigned by Oualys. 
/KB CUSTOM VULN LIST OUTPUT/RESPONSE/VULN LIST/CUSTOM VULN. DATA/ 
SEVERITY LEVEL (#PCDATA) 
The severity level of the vulnerability. For a confirmed or potential 
vulnerability this is an integer 1 to 5, where 5 represents the most serious 
risk if exploited. For information gathered is an integer 1 to 3, where 3 
represents the most serious risk. 
[KB CUSTOM VULN LIST OUTPUT/RESPONSE/VULN LIST/CUSTOM. VULN. DATA/ 
ORIGINAL SEVERITY LEVEL (#PCDATA) 
The original severity level of the vulnerability. See SEVERITY. LEVEL above. 
/KB CUSTOM VULN LIST. OUTPUT/RESPONSE/VULN LIST/CUSTOM. VULN. DATA/ 
IS DISABLED — (4PCDATA) 
A flag indicating whether the vulnerability is disabled. A value of 1 means it 
is disabled. A value of 0 means itis not disabled. 
(KB CUSTOM VULN LIST OUTPUT/RESPONSE/VULN LIST/CUSTOM VULN DATA/ 
UPDATED DATETIME (#PCDATA) 
The date this vulnerability was last edited by a user, in YYYY-MM- 
DDTHH:MM:SSZ format (UTC/GMT). 
/KB_CUSTOM_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/CUSTOM_VULN_DATA/ 
UPDATED_BY (#PCDATA) 
The Qualys login ID of the user who last edited the vulnerability. 
/KB_CUSTOM_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/CUSTOM_VULN_DATA/ 
THREAT COMMENT  (#PCDATA) 
A user-customized description of the threat the vulnerability poses. 
/KB_CUSTOM_VULN_LIST_OUTPUT/RESPONSE/VULN_LIST/CUSTOM_VULN_DATA/ 
IMPACT COMMENT - (#PCDATA 
A user-customized description of the impact of the vulnerability if 
exploited 
(KB. CUSTOM VULN LIST OUTPUT/RESPONSE/VULN LIST/CUSTOM VULN DATA/ 
SOLUTION COMMENT  (#PCDATA) 
A user-customized description of a verified solution to fix the vulnerability. 
/KB CUSTOM. VULN LIST OUTPUT/RESPONSE/WARNING (CODE?, TEXT, URL?) 
/KB CUSTOM. VULN LIST OUTPUT/RESPONSE/WARNING/CODE  (#PCDATA) 
A warning code. 
/KB CUSTOM. VULN LIST OUTPUT/RESPONSE/WARNING/TEXT (4PCDATA) 
Warning message text. 
/KB CUSTOM. VULN LIST OUTPUT/RESPONSE/WARNING/URL (#PCDATA) 
Warning URL. This element will not be returned (it is notimplemented). 
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Map Report - Version 2 


API used 
<platform API server>/msp/map-2.php 


The map-2.php API returns live map results using the map-2.dtd. This is used for live map 
results only. 


DTD for Map Report v2 Output 


<platform API server>/map-2.dtd 
A recent DTD is below. 


<!-- OUALYS MAP-2 DTD --> 


<!ELEMENT MAP REQUEST (MAP*|ERROR*) > 


<!-- value is the report ref --> 
<!ELEMENT MAP (HEADER?, (IP+|ERROR) ?) > 


<!ATTLIST MAP 
value CDATA #IMPLIED> 


<!ELEMENT ERROR (#PCDATA) *> 
<!ATTLIST ERROR number CDATA #IMPLII 


Fl 


D> 


<!-- INFORMATION ABOUT THE MAP --> 
<!ELEMENT HEADER (KEY+, ASSET GROUPS?, USER ENTERED DOMAINS?, 
OPTION PROFILE?) > 


T 


<!ELEMENT KEY (#PCDATA) *> 
<!ATTLIST KEY 
value CDATA #IMP 


IED> 


<!ELEMENT ASSET GROUP (ASSET GROUP TITLE) > 
<!ELEMENT ASSET GROUPS (ASSET GROUP+) > 
<!ELEMENT ASSET GROUP_TITLE (#PCDATA) > 


<!ELEMENT USER ENTERED DOMAINS (DOMAIN+, NETBLOCK*) > 
<!ELEMENT DOMAIN (#PCDATA) > 

<!ELEMENT NETBLOCK (RANGE+) > 

<!ELEMENT RANGE (START+, END+)> 

<!ELEMENT START (#PCDATA) > 

<!ELEMENT END (#PCDATA) > 

<!ELEMENT OPTION PROFILE (OPTION PROFILE TITLE) > 
<!ELEMENT OPTION PROFILE TITLE (#PCDATA) > 

<!ATTLIST OPTION PROFILE TITLE 


option profile default CDATA IMPLIED 
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<!-- value is the IP --> 
<!-- type is the kind of server : router, mail server ... --> 
<!-- "port" is deprecated, replaced by "discovery" --> 


<!ELEMENT IP ((PORT*, 


<!ATTLIST IP 
value CDATA 


name C 
type C 


os CDATA #IMPLII 


netbio 
accoun 
networ 
networ 


<!-- value 
<!ELEMENT 
<!ATTLIST 


S 


K 
K 


p 


p 


DISCOVERY*, LINK*) | LINK+) ?> 


#REQUIRED 


DATA #IMPLII 


DATA +IMPLII 


CDATA #IMPLIED 
CDATA #IMPLIED 
CDATA #IMPLIED 


_id CDATA 


indicates 


IMPLIED> 


an open port on a server (deprecated) --> 


ORT (#PCDATA) *> 


ORT 


value CDATA #REQUIRED> 


<!-- value indicates a method that discovered this machine --> 
<!ELEMENT DISCOVERY (#PCDATA) *> 
<!ATTLIST DISCOVERY 
method CDATA #REQUIRED> 
<!-- value of a link, indicates the need to go trough a server to see --> 


<!-- another (ie. gat 


<!ELEMENT 


INK EMPTY> 


<!ATTLIST 


L 


INK 


eway or router) --> 


value CDATA #REQU 


IRED> 


XPaths for Map Report v2 output 


XPath element specification / notes 
/MAP (HEADER? (IP+|ERROR)?) 
attribute: value value is implied and, if present, is the reference number for the map 
/MAP/ERROR (#PCDATA)* 
attribute: number number is implied and, if present, is an error code 
/MAP/HEADER ((KEY+, ASSET_GROUPS?, USER. ENTERED. DOMAINS?, OPTION. PROFILE?) 
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XPath element specification / notes 
/MAP/HEADER/KEY (#PCDATA)* 
attribute: value value is implied and, if present, will be one of the following: 
USERNAME................... The Oualys user login name for the user that initiated 
the map reguest. 
COMPANY .................... The company associated with the Oualys user. 
DATE tibia ciate The date when the map was started. The date appears 


in YYYY-MM-DDTHH:MM:SSZ format (in 
UTC/GMT) like this: "2002-06-08T16:30:15Z" 
TITLE EEN A descriptive title. 
-.. The target domain. 
NBHOST_TOTAL ......... The total number of hosts included in the map. 


DURATION ........ .... The time it took to complete the map. 
SCAN HOST................. The IP address of the host that processed the map. 
REPORT. TYPE.............. The report type: “API” for an on-demand map reguest 


launched from the API, “On-demand” for an 
on-demand map reguest launched from the Oualys 
user interface, and “Scheduled” for a scheduled map. 

OPTIONS......... inime The option profile applied to the map. Note that the 
options information provided may be incomplete. 

DEFAULT. SCANNER.. The value 1 indicates that the default scanner was 
enabled for the map. 

ISCANNER, NAME...... The scanner appliance name or "external" (for external 
scanner) used for the map. 

STATUS lapie The job status of the map. 


FINISHED - The scanner(s) have finished the map job, the map results were 
loaded onto the platform, and hosts were discovered. 

NOHOSTALIVE - The scanner(s) have finished the map job, the map results 
were loaded onto the platform, and no devices were 
discovered. 

LOADING - The scanner(s) have finished the map job, and the map results are 
being loaded onto the platform. 

CANCELED - A user canceled the map, and the scanner(s) have stopped the 
map job. 

ERROR - An error occurred during the map, and the map did not complete. 

INTERRUPTED - The map was interrupted and did not complete. 
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XPath element specification / notes 
/MAP/HEADER/ASSET. GROUPS (ASSET. GROUP +) 

/MAP/HEADER/ASSET. GROUPS/ASSET. GROUP (ASSET. GROUP TITLE) 
/MAP/HEADER/ASSET. GROUPS/ASSET. GROUP/ASSET. GROUP TITLE (4PCDATA) 

The title of an asset group that was specified as a map target. 
/MAP/HEADER/USER ENTERED DOMAINS (DOMAIN+, NETBLOCK*) 
/MAP/HEADER/USER_ENTERED_DOMAINS/DOMAIN (#PCDATA) 

A domain name entered as a target for the map. 
/MAP/HEADER/USER_ENTERED_DOMAINS/NETBLOCK (RANGE+) 
/MAP/HEADER/USER_ENTERED_DOMAINS/NETBLOCK/RANGE (START+, END+) 
/MAP/HEADER/USER_ENTERED_DOMAINS/NETBLOCK/RANGE/START (#PCDATA) 

An IP address that represents the start of the netblock range. 
/MAP/HEADER/USER_ENTERED_DOMAINS/NETBLOCK/RANGE/END (#PCDATA) 

An IP address that represents the end of the netblock range. 
/MAP/HEADER/OPTION_PROFILE (OPTION_PROFILE_TITLE 
/MAP/HEADER/OPTION_PROFILE/OPTION_PROFILE_TITLE (#PCDATA) 

The title of the option profile, as defined in the Qualys user interface, that 

was applied to the map. 
attribute: option profile default is implied and, if present, is a code that specifies 


option profile default 


whether the option profile was defined as the default option profile in the 
user account. A value of 1 is returned when this option profile is the default. A 
value of 0 is returned when this option profile is not the default. 


/MAP/IP 


at 


a 
at 
a 


Ey) 


tr 


ttr 


tr: 


ibu 
ibut 
ibut 
ibut 


ibu 
ibut 


ibu 
ibu 


te: 


tes 


te: 


te; 


value 


: name 


: type 


. OS 


netbios 


account 


network 


network id 


((PORT* DISCOVERY*, LINK*)|LINK+)? 

value is required and is an IP address 

name is implied and, if present, is the device's registered DNS host name 
type is implied and, if present, will indicate a device type such as “router” 


os is implied and, if present, is a string indicating the device's operating 
system 


netbios is implied and, if present, is the device's Windows NetBIOS name 


account is implied and, if present, will be the following: 


E EI ka The user account allows the IP address to be scanned 
network is implied and indicates network selected for the map 


network id is implied and identifies a network ID when the networks 
feature is enabled in the subscription 
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ment specification / notes 


/MAP/IP/DISCOVERY 
attribute: method 


(#PCDATA) 


method is required and will be one of the following: 


DNSe eenn aka DNS lookup 
. DNS zone transfer detected 
. ICMP packets received from the host 


Reverse_DNS.. . Reverse DNS lookup 

TCP Port [n] ................... Open TCP port [number] 

TCP RST: -iirwsvstentitönta teie TCP reset packets received from the host 
TraceRoute ..................... Trace route 

UDP Port [n] .................. Open UDP port [number] 

Other Protocol or ICMP 


asd IP packet received from the host whose protocol is not 
TCP, UDP, or ICMP 
Other TCP Ports ............ TCP packet received containing source ports not in the 
list of probed ports 


/MAP/IP/PORT 


attribute: value 


(#P 


CDATA) 


value is required and will be one of the following: 


21. . FTP 


22). . SSH 
PAR S Telnet 
QD EE EE ENAT SMTP 
A DNS 
iaa HTTP 
A A POP3 
139 cnconccccocacononnnonnnonnnnanannno NetBios 
MA iia. HTTPS 


Note: The PORT element no longer appears in map reports, including new 


reports and existing reports saved on the Qualys platform. The PORT 
element may appear in existing reports that you have saved locally. 


/MAP/IP/LINK 


attribute: value 


EMPTY 


value is required. If /MAP/IP[Otype="router"] then there will be one 


/MAP/IP/LINK per host found 


thi 


Otherwise, value is the IP add 


va 


in the domain that is served by that router. In 
s Case, value will be the IP address of the host that this router serves. 
ess of the router that serves this host; if 
means that the router was protected by a 


ue is empty in this case, it 


firewall or otherwise shielded from discovery. 


No Devices Detected 


When a network discovery does not detect any devices, live map results are returned. Live 
map results include header information and an error message. Live map results are not 
saved on the Qualys server and cannot be retrieved. Sample live map results are shown 


below. 


<?xml version="1.0" 


ncoding="UTF-8" ?> 


<!DOCTYPE 


MAP R 


EOUEST SYSTEM "https://gualysapi.gualys.com/map-2.dtd"> 


<!-- Map 
SIS 
<MAP REOUEST> 
<MAP 
<HEADER> 


is running on: 
keep-alive --> 


mydomain.com --> 


value="map/1112217109.26598"> 
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<KEY value="USERNAME" >username< /KEY> 

<KEY value="COMPANY"><! [CDATA [My Company] ]></KEY> 

<KEY value="DATE">2005-03-30T21:11:48Z</KEY> 

<KEY value="TITLE"><! [CDATA [My Map] ]></KEY> 

<KEY value="TARGET">mydomain.com</KEY> 

<KEY value="NBHOST TOTAL">0</KEY> 

<KEY value="DURATION">00:00:31</KEY> 

<KEY value="SCAN HOST">hostname (SCANNER 2.9.39-1, WEB 4.0.102-1, 
VULNSIGS 1.10.74-1)</KEY> 

<KEY value="REPORT TYPE">API (default option profile)</KEY> 

<KEY value="STATUS">NOHOSTALIVE</KEY> 

<KEY value="OPTIONS"><! [CDATA [Information gathering: All Hosts, 


Perform live host sweep, Standard TCP port list, ICMP Host 
Discovery]]></KEY> 

<USER ENTERED DOMAINS> 
<DOMAIN><! [CDATA [mydomain.com] ] ></DOMAIN> 
</USER_ENTERED_DOMAINS> 

<OPTION PROFILE> 

<OPTION PROFILE TITLE option profile default="1"><![CDATA[Initial 

Options]]></OPTION PROFILE TITLE> 

</OPTION PROFI E> 


</HEADER> 
</ERROR number="4503">No host found</ERROR> 
</MAP> 
</ERROR number="4503">No host found</ERROR> 


</MAP_REQUEST> 
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Map Report - Single Domain 


API used 
<platform API server>/msp/map.php 


The map.php API returns a map report which identifies hosts found during the network 
discovery, and the discovery methods used to identify services on the hosts found. When 
no hosts are found, empty results are retumed. 

DTD for Map Report - Single Domain 

<platform API server>/map.dtd 

A recent DTD is below. 


<!-- QUALYS MAP DTD --> 


<!-- value is the report ref --> 

<!ELEMENT MAP (HEADER?, (IP+|ERROR)?) > 
<!ATTLIST MAP 
value CDATA #IMPLIED> 


<!ELEMENT ERROR (#PCDATA) *> 
<!ATTLIST ERROR number CDATA #IMPLII 


tf 
9) 
V 


<!-- INFORMATION ABOUT THE MAP --> 
<!ELEMENT HEADER (KEY+, ASSET GROUPS?, USER ENTERED DOMAINS?, 
OPTION PROFILE?) > 


<!ELEMENT KEY (#PCDATA) *> 
<!ATTLIST KEY 
value CDATA #IMP 


IED> 


<!ELEMENT ASSET GROUP (ASSET GROUP TITLE) > 
<!ELEMENT ASSET GROUPS (ASSET GROUP+) > 
<!ELEMENT ASSET GROUP TITLE (#PCDATA) > 


T USER ENTERED DOMAINS (DOMAIN+, NETBLOCK*) > 
T DOMAIN (#PCDATA) > 

T NETBLOCK (RANGE+)> 

T RANGE (START+, END+)> 

T START (#PCDATA) > 

T END (#PCDATA) > 


222424242 


<!ELEMENT OPTION PROFILE (OPTION PROFILE TITLE) > 
<!ELEMENT OPTION PROFILE TITLE (#PCDATA) > 


<!ATTLIST OPTION PROFILE TITLE 
option profile default CDATA #IMPLIED 


O 


T 


T 


> 

<!-- value is the IP --> 

<!-- type is the kind of server : router, mail server ... --> 
<!-- "port" is deprecated, replaced by "discovery" --> 
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value CDATA 


name CDATA 
type CDATA 
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PORT*, DISCOVERY*, LINK*) | LINK+) ?> 


#REQUIRED 
IMPLIED 
IMPLIED 


account CDATA #IMPLIED 
netbios CDATA #IMPLIED 


<!-- value indicates an open port on a server (deprecated) --> 


<!ELEMENT PORT 
<!ATTLIST PORT 
value CDAT 


(#PCDATA) *> 


TA #REQUIRED> 


<!-- value indicates a method that successfully discovered this machine - 


=> 


<!ELEMENT DISCOVERY (#PCDATA) *> 


<!ATTLIST DISCOVERY 


method CDATA #REQUIRED> 


<!-- value of a link, indicates the need to go trough a server to see --> 
<!-- another (ie. gateway or router) --> 
<!ELEMENT LINK EMPTY> 


<!ATTLIST 


LINK 


value CDATA #REQUIRED> 


XPaths for Map Report - Single Domain 


XPath 


element specification / notes 


/MAP 


attribute: value 


(HEADER? (IP+|ERROR)?) 


value is implied and, if present, is the reference number for the map 


/MAP/ERROR (#PCDATA)* 
attribute: number number is implied and, if present, is an error code 
/MAP/HEADER (KEY)+ 
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XPath element specification / notes 
/MAP/HEADER/KEY (PCDATA)* 
attribute: value value is implied and, if present, will be one of the following: 
USERNAME .................. The Oualys user login name for the user that initiated 
the map reguest. 
COMPANY .................... The company associated with the Oualys user. 
DATE naut fanana The date when the map was started. The date appears 


in YYYY-MM-DDTHH:MM:SSZ format (in 
UTC/GMT) like this: "2002-06-08T16:30:15Z" 

LTE, E A descriptive title. When the user specifies a title for 
the map request, the user-supplied title appears. When 
unspecified, a standard title is assigned. 


TARGET... The target domain. 

NBHOST_TOTAL.......... The total number of hosts included in the map. 
DURATION................... The time it took to complete the map. 

SCAN HOST... .... The IP address of the host that processed the map. 
REPORT_TYPE .............. The report type: “API” for an on-demand map request 


launched from the API, “On-demand” for an 
on-demand map request launched from the Qualys 
user interface, and “Scheduled” for a scheduled map. 

OPTIONS... neeme The option profile applied to the map. Note that the 
options information provided may be incomplete. 

DEFAULT. SCANNER. The value 1 indicates that the default scanner was 

enabled for the map. 

The name of the scanner appliance applied to the map. 

The job status of the map. 

The scanner(s) have finished the map job, the map 

results were loaded onto the platform, and hosts were 

discovered. 

NOHOSTALIVE............ The scanner(s) have finished the map job, the map 
results were loaded onto the platform, and no devices 
were discovered. 


LOADING... The scanner(s) have finished the map job, and the map 
results are being loaded onto the platform. 

CANCELED .................. A user canceled the map, and the scanner(s) have 
stopped the map job. 

ERROR conoccccincnccncncninnonos An error occurred during the map, and the map did 
not complete. 

INTERRUPTED.............. The map was interrupted and did not complete. 
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XPath element specification / notes 
/MAP/HEADER/ASSET. GROUPS (ASSET. GROUP +) 

/MAP/HEADER/ASSET. GROUPS/ASSET. GROUP (ASSET. GROUP TITLE) 
/MAP/HEADER/ASSET. GROUPS/ASSET. GROUP/ASSET. GROUP TITLE (4PCDATA) 

The title of an asset group that was specified as a map target. 
/MAP/HEADER/USER ENTERED DOMAINS (DOMAIN+, NETBLOCK*) 
/MAP/HEADER/USER_ENTERED_DOMAINS/DOMAIN (#PCDATA) 

A domain name entered as a target for the map. 
/MAP/HEADER/USER_ENTERED_DOMAINS/NETBLOCK (RANGE+) 
/MAP/HEADER/USER_ENTERED_DOMAINS/NETBLOCK/RANGE (START+, END+) 
/MAP/HEADER/USER_ENTERED_DOMAINS/NETBLOCK/RANGE/START (#PCDATA) 

An IP address that represents the start of the netblock range. 
/MAP/HEADER/USER_ENTERED_DOMAINS/NETBLOCK/RANGE/END (#PCDATA) 

An IP address that represents the end of the netblock range. 
/MAP/HEADER/OPTION_PROFILE (OPTION_PROFILE_TITLE 
/MAP/HEADER/OPTION_PROFILE/OPTION_PROFILE_TITLE (#PCDATA) 

The title of the option profile, as defined in the Qualys user interface, that 

was applied to the map. 
attribute: option profile default is implied and, if present, is a code that specifies 


option profile default 


whether the option profile was defined as the default option profile in the 
user account. A value of 1 is returned when this option profile is the default. A 
value of 0 is returned when this option profile is not the default. 


/MAP/IP 


a 
a 
a 
a 


at 


ttr 


ttr 


ttr 


tr 


ibu 
ibut 
ibut 
ibut 


ibu 


ibu 


te. 


te: 


te; 


value 


: name 


: type 


. OS 


account 


netbios 


/MAP/IP/DISCOVERY 


at 


tr 


ibu 


te: 


method 


(BORA DiS EOMER YA EENE EEN EE) ice 

value is required and is an IP address 

name is implied and, if present, is an Internet host name 

type is implied and, if present, will indicate a device type such as “router” 


os is implied and, if present, is a string indicating the device’s operating 
system 


account is implied and, if present, will be the following: 


VESA The user account allows the IP address to be scanned 


netbios is implied and, if present, is the device’s Windows NetBIOS name 
(#PCDATA) 


method is required and will be one of the following: 


DNSe nra .. DNS lookup 

DNS Zone Transfer ....... DNS zone transfer detected 

IGMP? a:nn ICMP packets received from the host 
Reverse. DNS................. Reverse DNS lookup 

TCP Port [n] ................... Open TCP port [number] 

TCP RS Torere TCP reset packets received from the host 
TraceRoute ... . Trace route 

UDP Port [n] .................. Open UDP port [number] 

Other Protocol or ICMP 


pianos IP packet received from the host whose protocol is not 
TCP, UDP, or ICMP 
Other TCP Ports ............ TCP packet received containing source ports not in the 
list of probed ports 
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XPath element specification / notes 


/MAP/IP/PORT (#PCDATA) 
value is required and will be one of the following: 


attribute: value 


Note: The PORT element no longer appears in map reports, including new reports 
and existing reports saved on the Qualys platform. The PORT element may appear 


in existing reports that you have saved locally. 


/MAP/IP/LINK EMPTY 

value is required. If /MAP/IP[Otype="router"] then there will be one 
/MAP/IP/LINK per host found in the domain that is served by that router. In 
this case, value will be the IP address of the host that this router serves. 
Otherwise, value is the IP address of the router that serves this host; if 
value is empty in this case, it means that the router was protected by a 


firewall or otherwise shielded from discovery. 


attribute: value 
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Map Report List Output 


API used 
<platform API server>/msp/map report list.php 


DTD for Map Report List Output 
<platform API server>/map report lists.dtd 
A recent DTD is below. 


<!-- QUALYS MAP REPORT LIST DTD --> 


<!ELEMENT MAP REPORT LIST (ERROR | MAP REPORT*))> 


<!ATTLIST MAP REPORT LIST 
user CDATA #REQUIRED 
from CDATA #REQUIRED 
to CDATA #REQUIRED 


with domain CDATA #IMP 


H 

mal 
CO 
V 


<!ELEMENT ERROR (#PCDATA) *> 
<!ATTLIST ERROR number CDATA #IMPLIED> 


<!ELEMENT MAP REPORT (TITLE, ASSET GROUPS?, OPTION PROFILE?) > 

<!ATTLIST MAP REPORT 
ref CDATA #REQUIRED 
date CDATA #REQUIRED 
domain CDATA #REQUIRED 
status CDATA #REQUIRED> 


<!ELEMENT TITLE (#PCDATA) > 

<!ELEMENT ASSET GROUP (ASSET GROUP_TITLE) > 
<!ELEMENT ASSET GROUPS (ASSET GROUP+)> 
<!ELEMENT ASSET GROUP TITLE (#PCDATA) > 


<!ELEMENT OPTION PROFILE (OPTION PROFILE TITLE) > 
<!ELEMENT OPTION PROFILE TITLE (#PCDATA) > 


<!ATTLIST OPTION PROFILE TITLE 
option profile default CDATA #IMPLIED 


<!-- EOF --> 
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XPaths for Map Report List 


XPath 


element specification / notes 


Chapter 2 - Scans XML 


/MAP REPORT. LIST 
attribute: user 


attribute: from 


attribute: to 


attribute: with_domain 


(ERROR | MAP. REPORT”) 


user is required and is the Qualys user name. 


from is required and is the oldest date in the available map reports, 


in YYYY-MM-DDTHH:MM:SSZ format (in U 
"2002-06-08T16:30:15Z" 


C/GM 


to is required and is the newest date in the available m 


in YYYY-MM-DDTHH:MM:SSZ format (in U 


C/GM 


) like this: 


ap reports, 


) 


with_domain is implied and, if present, is a domain found in each 


of the map reports in the list 


/MAP_REPORT_LIST/ERROR 


attribute: number 


/MAP_REPORT_LIST/MAP_REPORT (TII 


attribute: ref 


attribute: date 


attribute: domain 


attribute: status 


(#PCDATA)* 


number is implied and, if present, is an error code 


PLE, ASSET_GROUPS?, OPTION. PROFILE?) 


ref is required and is the reference, or key, for the map 


date is reguired and is the date when the network discovery was 


UTC/GMT) 


performed, in YYYY-MM-DDTHH:MM:SSZ format (in 


domain is required and is the domain for which the map was 


produced 


status is required and is the job status reported for the map. 


QUEUED - A user launched the map or the service started a map 
based on a map schedule. The map job is waiting to be distributed 


to scanner(s). 


esults are being loaded onto the platform. 


esults were loaded onto the platform. 


not alive). 


complete. 


RUNNING - The scanner(s) are actively running the map job. 
LOADING - The scanner(s) finished the map job, and the map 


FINISHED - The scanner(s) have finished the map job, and the map 
CANCELED - A user canceled the map, the scanner(s) have 
stopped the map job, and some results may be available. 
NOHOSTALIVE - The scanner(s) finished the map job, the map 
esults were loaded onto the platform, and target hosts were down 


ERROR - An error occurred during map, and the map did not 


NTERRUPTED - The map was interrupted and did not complete. 


/MAP_REPORT_LIST/MAP_REPORT/TITLE 


(#PCDATA)* 
The map title. 


/MAP_REPORT_LIST/MAP_REPORT/ASSET_GROUPS (ASSET_GROUP+) 
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XPath element specification / notes 
/MAP REPORT LIST/MAP REPORT/ASSET. GROUPS/ASSET. GROUP (ASSET. GROUP TITLE) 
(#PCDATA) 


The title of an asset group that was specified as a map target. 
/MAP_REPORT_LIST/MAP_REPORT/OPTION_PROFILE (OPTION_PROFILE_TITLE) 
/MAP_REPORT_LIST/MAP_REPORT/OPTION_PROFILE/OPTION_PROFILE_TITLE (#PCDATA) 


The title of the option profile that was applied to the map. 


attribute: option_profile default is implied and, if present, specifies 
option profile default whether the option profile was defined as the default in the user 
account. A valid value is: 1 (option profile is the default), or 
0 (option profile is not the default). 
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EC2 Instance ID Scan Launch Output 


This is a DTD for the Scan Launch output. You can use it when launching the EC2 scan 
and specify EC2 instance IDs as part of the scan target, we can identify and skip any 
invalid instances and continue the scan on the valid instances. 


DTD for EC2 Instance ID Scan Launch Output 
<platform>/api/2.0/fo/scan/dtd/launch_output.dtd 


<!ELEMENT SIMPLE RETURN (REQUEST?, RESPONSE) > 


s 

<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
) 
D 


POST DATA? 
<!ELEMENT DATETIME (#PCDATA) > 
<!ELEMENT USER LOGIN (#PCDATA) > 
<!ELEMENT RESOURCE (#PCDATA) > 
<!ELEMENT PARAM LIST (PARAM+) > 
<!ELEMENT PARAM (KEY, VALUE) > 
<!ELEMENT KEY (#PCDATA) > 
<!ELEMENT VALUE (#PCDATA) > 
<!-- If specified, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 
<!ELEMENT RESPONSE (DATETIME, CODE?, 
<!ELEMENT CODE (#PCDATA) > 
<!ELEMENT TEXT (#PCDATA) > 
<!ELEMENT NOTIFICATION (#PCDATA) > 
<!ELEMENT ITEM LIST (ITEM+) > 
<!ELEMENT ITE (KEY, VALUE*) > 
Sc (BOR SEA 


H 


EXT, NOTIFICATION?, ITEM LIST?)> 


XPaths for EC2 Instance ID Scan Launch 


XPath element specifications / notes 
/SCAN_LAUNCH_OUTPU (REOUEST?, RESPONSE) 
/SCAN_LAUNCH_OUTPUT/REQUEST 
(DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA?) 
/SCAN LAUNCH OUTPUT/REOUEST/DATETIME  (#PCDATA) 


The date and time of the request. 
/SCAN LAUNCH OUTPUT/REOUEST/USER LOGIN (#PCDATA) 


The user login ID of the user who made the request. 
/SCAN_LAUNCH_OUTPUT/REQUEST/RESOURCE  (#PCDATA) 


The resource specified for the request. 
/SCAN LAUNCH OUTPUT/REOUEST/PARAM LIST  (PARAM+) 
/SCAN_LAUNCH_OUTPUT/REQUEST/PARAM_LIST/PARAM (KEY, VALUE) 
/SCAN_LAUNCH_OUTPUT/ EST/PARAM LIST/PARAM/KEY  (#PCDATA) 
The input parameter name. 

/SCAN LAUNCH OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE (#PCDATA) 


bs] 
a 
€ 
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XPath element specifications / notes 


The input parameter value. 
/SCAN LAUNCH OUTPUT/REOUEST/POST. DATA — (*PCDATA) 

The POST data, if any. 
/SCAN_LAUNCH_OUTPUT/RESPONSE 

(DATETIME, CODE?, TEXT, NOTIFICATION?, ITEM LIST?) 
/SCAN_LAUNCH_OUTPUT/CODE (#PCDATA) 

he POST data, if any. 

/SCAN_LAUNCH_OUTPUT/TEXT (#PCDATA) 


he POST data, if any. 
/SCAN_LAUNCH_OUTPUT/NOTIFICATION (#PCDATA) 


The user will receive scan launch output notification message. 
/SCAN_LAUNCH_OUTPUT/ITEM_LIST(ITEM+ 
/SCAN_LAUNCH_OUTPUT/ITEM (IKEY, VALUE”) 


The scan launch output item key value. 
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Chapter 3 - Scan Configuration XML 


This section describes XML returned from Scan API reguests for search lists, scanner 
appliances, option profiles. 


Scanner Appliance List Output 
Scanner Appliance Create Output 
Replace Scanner Appliance Output 
Static Search List Output 

Dynamic Search List Output 
Option Profile Output 


Scanner Appliance List Output 


API used 
<platform API server>/api/2.0/fo/appliance/ with action=list 


DTD for Scanner Appliance List Output 
<platform API server>/api/2.0/fo/appliance/appliance_list_output.dtd 
A recent DTD is shown below. 


<!-- QUALYS APPLIANCE LIST OUTPUT DTD --> 


<!ELEMENT APPLIANCE LIST OUTPUT (REQUEST?, RESPONSE) > 


<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 
<!ELEMENT DATETIME (#PCDATA) > 
<!ELEMENT USER LOGIN (#PCDATA) > 
<!ELEMENT RESOURCE (#PCDATA) > 
<!ELEMENT PARAM LIST (PARAM+) > 
<!ELEMENT PARAM (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 

<!ELEMENT VALUE (#PCDATA) > 
<!-- if returned, POST DATA will be urlencoded --> 


<!ELEMENT POST DATA (#PCDATA) > 


<!ELEMENT RESPONSE (DATETIME, APPLIANCE LIST?, LICENSE_INFO?)> 
<!ELEMENT APPLIANCE LIST (APPLIANCE+) > 
<!ELEMENT APPLIANCE (ID, UUID, NAME, NETWORK_ID?, 

SOFTWARE VERSION, RUNNING SLICES COUNT, RUNNING SCAN COUNT, STATUS, 

CMD ONLY START?, MODEL NUMBER?, TYPE?, SERIAL NUMBER?, ACTIVATION CODE?, 
INTERFACE SETTINGS*, PROXY SETTINGS?, IS CLOUD DEPLOYED?, CLOUD INFO?, 


VLANS?, STATIC ROUTES?, ML LATEST?, ML VERSION?, VULNSIGS LATEST?, 
VULNSIGS VERSION?, ASSET GROUP COUNT?, ASSET GROUP LIST?, 
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ASSET TAGS LIST?, 


H 


EARI 


TB 


EATS MISSED?, 


US 


IP ADDR 


ER_LIST?, 


PORT, 


GCI 


_ INFO?, 


zo] 
FA 


UPDATE 


LAST U 


SS 


<!E 


EMEN 


<!E 


EMEN 


PDAT 


D?, COMM 


m 


m 
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ED DATE?, 


POLLING_INTERVAL?, 


CONNECTION?, 


ti 
2 
E 
n 


aU 


<!E 


EMEN 


m 


5 


<!E 


EMEN 


m 


E 
= 


<!E 


<!E 


<!E 


<!E 


<!E 


m 


E E 0 
zZ tj 
Z 


NN 


a 


> 


USER_LOGIN?, 


ENABL 


SS_LAST_CONNECT 
RUNNING. SCANS?, 
DATA) > 

PCDATA) > 
DATA) > 
D (PC 
ERSION 
SNTC 
ING_SCAN_CO 
US (#PCDATA 


ED?, FDCC 


DATA) > 
(#PCDATA) > 

ES COUNT (#PCDATA) > 
UNT (#PCDATA) > 
)> 


H 
A 
Q 
un 


PCDATA) > 


<!E 


DATA) > 


<!E 


T 


ER (#PCDATA)> 


<!E 


EMEN 


HPNEKRANADNZAAGH 


CODE (#PCDATA) > 


ED?, 


[AX CAPACITY UNITS?) > 


<!E 


EMEN 


INT 


N 


ESS, 


ETMASK, 


GAT 


ETTINGS (SETTING?, 


PV6 ADDRESS?, SPEED, 


<!EL 


NG (#PCDATA) > 


<!EL 


<!EL 


ERFACE (#PCDATA) > 
S (#PCDATA) > 


<!EL 


PCDATA) > 


<!EL 


PCDATA) > 


<!EL 


DATA) > 


<!EL 


DRESS (#PCDATA) > 


<!EL 


PCDATA) > 


<!EL 


(#PCDATA) > 


<!EL 


<! 


EM 


USI 


t 
9 
V 


AIN?, PRIMARY, SECONDAR 


PCDATA) > 


ARY (#PCDATA) > 


mM +t 


ECONDARY 


<!EL 


(+ PCDATA) > 
(SETTING, PROXY*)> 
IP ADDRESS?, 


ETTINGS 
PROTOCOL?, 


ENT PROTOCOL (#PCDATA) > 


ENT HOSTNAME (#PCDATA) > 


ENT PORT (#PCDATA) > 


ENT USER (#PCDATA) > 


AZURE 


INSTANC 


, ID?, AMI I 


E ZONE TYPE, 


DRESS PRIVATE? 


EM 


ENT 


OUD D 
D INFO 


EPLOYED 
(PLATFORI 


PCDATA) > 
| PROVIDER, 


EC2_ 


PLATFORM PROVIDER 


(#PCDATA) > 


Y)> 


HOSTNAME?, 


INFO?, 


EM 


ENT 


EC2 INFO (INSTANCE ID, INSTANCE 


TYPE, 


HOSTNAME 


<! 
<! 
<! 
<! 


UNT I 


D 
IN 


IN 


W m 


S 
A 


, 


STANCE 


EGION, INSTANCE AVAILAB 


I 


ITY ZONE 


INSTANC 


STANCE VPC ID?, 
PRIVATE?, 

CURITY GROUPS?, 
I PROXY SETTINGS) > 


E SUBN 


ELE 


ENT INSTANCE ID (#PCDATA) > 


ELE 


ENT INSTANCE TYPE (#PCDATA) > 


ELE 


ENT KERNEL ID (#PCDATA) > 


ELE 


ENT D (#PCDATA) > 


78 


s 


ET ID?, 


Gualys API (VM, PC) XML/DTD Reference 
Chapter 3 - Scan Configuration XML 


<!ELEMENT ACCOUNT ID (#PCDATA) > 
<!ELEMENT INSTANCE REGION (#PCDATA) > 
<!ELEMENT INSTANCE AVAILABILITY ZONE (#PCDATA) > 
<!ELEMENT INSTANCE ZONE TYPE (#PCDATA) > 
<!ELEMENT INSTANCE VPC_ID (#PCDATA) > 
<!ELEMENT INSTANCE SUBNET ID (#PCDATA) > 
<!ELEMENT IP ADDRESS PRIVATE (#PCDATA) > 
<!ELEMENT HOSTNAME PRIVATE (#PCDATA) > 
<!ELEMENT SECURITY GROUPS (SECURITY GROUP IDS?, 
SECURITY GROUP_NAMES?) > 
<!ELEMENT SECURITY GROUP IDS (#PCDATA) > 
<!ELEMENT SECURITY GROUP NAMES (#PCDATA) > 
<!ELEMENT API PROXY SETTINGS (SETTING, PROXY*)> 


<!ELEMENT GCE INFO (INSTANCE ID, MACHINE TYPE, 
PROJECT ID, PROJECT NAME, 
PREEMPTIBLE, 
INSTANCE ZONE, 

IP ADDRESS PRIVATE?, HOSTNAME PRIVATE?, 


IP ADDRESS PUBLIC?, 


INSTANCE NETWORK, 
GCE INSTANCE TAGS 
) 


<!ELEMENT MACHINE TYPE (#PCDATA)> 

<!ELEMENT PROJECT ID (#PCDATA)> 

<!ELEMENT PROJECT NAME (#PCDATA)> 

<!ELEMENT PREEMPTIBLE (#PCDATA)> 

<!ELEMENT INSTANCE ZONE (#PCDATA)> 

<!ELEMENT GCE INSTANCE TAGS (GCE INSTANCE TAG*)> 
<!ELEMENT GCE INSTANCE TAG (TAG ID)> 
<!ELEMENT TAG ID (#PCDATA) > 

<!ELEMENT IP ADDRESS PUBLIC (#PCDATA) > 


<!ELEMENT INSTANCE NETWORK (#PCDATA) > 


El 


<!ELEMENT AZURE INFO (INSTANCE ID, USER NAME, 
INSTANCE LOCATION, DEPLOYMENT MODE, 
IP ADDRESS PRIVATE?, HOSTNAME PRIVATE?) > 
<!ELEMENT USER NAME (#PCDATA) > 
<!ELEMENT INSTANCE LOCATION (#PCDATA) > 


<!ELEMENT DEPLOYMENT MODE (#PCDATA) > 


<!ELEMENT VLANS (SETTING, VLAN*) > 
<!ELEMENT VLAN (ID, NAME, IP ADDRESS?, NETMASK?, 
IPV6 ADDRESS?, IPV6_SLAAC?) > 
<!ELEMENT IPV6 SLAAC EMPTY> 
<!ELEMENT STATIC ROUTES (ROUTE*)> 
<!ELEMENT ROUTE (NAME, IP_ADDRESS?, NETMASK?, GATEWAY?, 
IPV6 ADDRESS?, IPV6 NETWORK?, IPV6 GATEWAY?) > 
<!ELEMENT IPV6 NETWORK (#PCDATA) > 
<!ELEMENT IPV6 GATEWAY (#PCDATA) > 


<!ELEMENT , LATEST (#PCDATA) > 
<!ELEMENT , VERSION (#PCDATA) > 
<!ATTLIST , VERSION updated CDATA #IMPLIED> 


<!ELEMENT VULNSIGS LATEST (#PCDATA) > 
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<!ELEMENT VULNSIGS VERSION (#PCDATA) > 

<!ATTLIST VULNSIGS VERSION updated CDATA #IMPLIED> 
<!ELEMENT ASSET GROUP COUNT (#PCDATA) > 

<!ELEMENT ASSET GROUP LIST (ASSET GROUP*) > 

<!ELEMENT ASSET GROUP (ID, NAME)> 

<!ELEMENT ASSET TAGS LIST (ASSET TAG*)> 

<!ELEMENT ASSET TAG (UUID, NAME) > 


<!ELEMENT LAST UPDATED DATE (#PCDATA) > 
<!ELEMENT POLLING INTERVAL (#PCDATA) > 
<!ELEMENT HEARTBEATS MISSED (#PCDATA) > 
<!ELEMENT SS CONNECTION (#PCDATA) > 
<!ELEMENT SS LAST CONNECTED (#PCDATA) > 
<!ELEMENT FDCC_ENABLED (#PCDATA) > 
<!ELEMENT USER LIST (USER ACCOUNT*) > 
<!ELEMENT USER ACCOUNT (ID, NAME) > 


<!ELEMENT UPDATED (#PCDATA) > 
<!ELEMENT COMMENTS (#PCDATA) > 
<!ELEMENT RUNNING SCANS (SCAN+) > 

<!ELEMENT SCAN (ID, TITLE, REF, TYPE, SCAN DATE) > 

<!ELEMENT TITLE (#PCDATA) > 

<!ELEMENT REF (#PCDATA) > 

<!ELEMENT TYPE (#PCDATA) > 

<!ELEMENT SCAN DATE (#PCDATA) > 


<!ELEMENT MAX CAPACITY UNITS (#PCDATA) > 


EME 


NT LICENSE INFO (OVSA LICENSES COUNT, OVSA LICENSES USED) > 


EOF --> 


EMENT OVSA LICENSES COUNT (#PCDATA) > 


EMENT OVSA LICENSES USED (#PCDATA) > 


XPaths for Scanner Appliance List Output 


XPath element specifications / notes 
/APPLIANCE LIST OUTPUT (REOUEST?,RESPONSE) 
/APPLIANCE LIST OUTPUT/REOUEST 
(DATETIME, USER. LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 
/APPLIANCE LIST OUTPUT/REOUEST/DATETIME (#PCDATA) 
The date and time of the API request. (This element appears only when the 
API request includes the parameter echo_request=1.) 
/APPLIANCE LIST OUTPUT/REOUEST/USER LOGIN (#PCDATA) 
The user login ID of the user who made the request. (This element appears 
only when the API reguest includes the parameter echo reguest=1.) 
/APPLIANCE LIST OUTPUT/REOUEST/RESOURCE  (#PCDATA) 
The resource specified for the reguest. (This element appears only when 
the API reguest includes the parameter echo reguest=1.) 
/APPLIANCE LIST OUTPUT/REOUEST/PARAM LIST  (PARAM+) 
/APPLIANCE _OU /REQUEST/PARAM_LIST/PARAM (KEY, VALUE) 
/APPLIANCE _OUTPUT/REQUEST/PARAM_LIST/PARAM/KEY (#PCDATA) 
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element specifications / notes 
An input parameter name. (This element appears only when the API 


eguest includes the parameter echo reguest=1.) 


/APPLIANCE 


OU 


EOUEST/PARAM LIST/PARAM/VALUE  (#PCDATA) 


An input parameter value. This element appears only when the API reguest 
includes the parameter echo reguest=1. 


/APPLIANCE 


OU 


The 


EOUEST/POST DATA — (4PCDATA) 


POST data, if any. (This element appears only when the API reguest 


ncludes the parameter echo reguest=1.) 


/APPLIANCE 


OU 


ESPONSE 
DATETIME, (APPLIANCE LIST?, LICENSE INFO?) 


/APPLIANCE | 


OU 


The 


ESPONSE/DATETIME (#PCDATA) 


date and time of the Qualys response. 


/APPLIANCE_ 


Wn 


OU 


PUT/R 


ESPONSE/APPLIANCE LIST (APPLIANCE+) 


/APPLIANCE 


Wn 


BOWER 


INT 


ASS 
EOI 


ESPONSE/APPLIANCE_LIST/APPLIANCE 


(ID, NAME, SOFTWARE_VERSION, RUNNING_SLICES_COUNT, 
RUNNING_SCAN_COUNT, STATUS, CMD_ONLY_START?, 
MODEL NUMBER?, TYPE?, SERIAL NUMBER?, ACTIVATION_CODE?, 


ERFACE. SETTINGS*, PROXY_SETTINGS?, IS CLOUD. DEPLOYED?, 


CLOUD INFO?,VLANS?, STATIC ROUTES?, ML LATEST?, ML VERSION?, 
VULNSIGS LATEST?, VULNSIGS VERSION?, ASSET GROUP COUNT?, 


ET GROUP LIST?, ASSET. TAGS LIST?, LAST UPDATED DATE?, 
LING INTERVAL?, USER LOGIN?, HEARTBEATS MISSED?, 


SS CONNECTION?, SS LAST CONNECTED?, FDCC_ENABLED?, 


USE 


MAX CAPACITY UNITS?) 


R LIST?, UPDATED?, COMMENTS?, RUNNING. SCANS?, 


/APPLIANCE 


_OU 


ESPONS 
The 


E/APPLIANCE_LIST/APPLIANCE/ID (#PCDATA) 


scanner appliance ID. 


/APPLIANCE 


KOU 


ESPONS 


The f 


E/APPLIANCE LIST/APPLIANCE/NAME (#PCDATA) 


riendly name ofthe scanner appliance. 


/APPLIANCE 


OU 


ESPONS 


E/APPLIANCE LIST/APPLIANCE/SOFTWARE VERSION (#PCDATA) 


The scanner appliance system software, which is installed on the appliance 
itself, 


/APPLIANCE 


OU 


ESPONS 


The 


(#PCDATA) 


E/APPLIANCE_LIST/APPLIANCE/RUNNING_SLICES_COUNT 


number of slices running on the appliance. A slice represents a portion 


of work being performed for a scan. A value of “O” indicates that the 
appliance is not busy because it is not working on a slice (it’s available for a 


new scan). Any other value indicates that the appliance is busy. 


Keep this in mind - When you distribute a scan to multiple appliances, then 


one 


or more appliances may finish their portion of the scan job while other 


appliances are still working on the scan. This means the scan status is 


Run 


ning but appliances may be available. 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/RUNNING_SCAN_COUNT 


(#PCDATA) 


The 


number of scans currently running on the scanner appliance. 
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element specifications / notes 


/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/STATUS (#PCDATA) 


The scanner appliance heartbeat check status. “Online” indicates the 
appliance did not miss the most recent heartbeat check. “Offline” indicates 
the appliance missed one or more heartbeat checks because it did not 
contact the Security Operations Center. (Heartbeat checks occur every 4 
hours.) 


/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/CMD. ONLY START  (*PCDATA) 


The date/time an appliance enters into CMD Only (command only) mode. 
This mode may be entered for various reasons, such as when a session 
expires. 


/APPLIANG 


ESPONSE/APPLIANCE LIST/APPLIANCE/MODEL NUMBER  (#PCDATA) 


The model number of the scanner appliance. (Appears when 
output_mode=full. is specified in API request. 


/APPLIANC 


d 
ESPONSE/APPLIANCE LIST/APPLIANCE/TYPE (#PCDATA) 


The type of the scanner appliance: physical or virtual or offline. (Appears 
when output mode=full. is specified in API reguest.) 


/APPLIANC 


ESPONSE/APPLIANCE LIST/APPLIANCE/SERIAL NUMBER  (#PCDATA) 


The serial number (ID) of the scanner appliance. (Appears when 
output mode=full. is specified in API reguest.) 


/APPLIANG 


ESPONSE/APPLIANCE LIST/APPLIANCE/ACTIVATION CODE  (*PCDATA) 


The activation code provisioned for the scanner appliance. (Appears when 
output mode=full. is specified in API reguest.) 


/APPLIANC 


ESPONSE/APPLIANCE LIST/APPLIANCE/INTERFACE SETTINGS 
(SETTING?, INTERFACE, IP ADDRESS, NETMASK, GATEWAY, LEASE, 


IPV6_ADDRESS?, SPEED, DUPLEX, DNS) 


/APPLIANC 
SETTING 


ESPONSE/APPLIANCE_LIST/APPLIANCE/INTERFACE_SETTINGS/ 


A flag indicating whether the WAN interface is disabled. When the WAN 
interface is disabled, the value Disabled appears. When enabled, this 
element is not displayed (Appears when output mode=full. is specified in 
API request.) 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/INTERFACE_SETTINGS/ 


INTERFACE (#PC DATA 


The network interface: “lan” or “wan”. (Appears when output mode=full. is 
specified in API request.) 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/INTERFACE_SETTINGS/ 
IP ADDRESS (#PCDATA) 


The LAN or WAN IP address. (Appears when output mode=full. is specified 
in API reguest.) 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/INTERFACE_SETTINGS/ 


NETMASK 


(#PCDATA) 


The netmask value for the LAN or WAN interface.(Appears when 
output mode=full. is specified in API request.) 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/INTERFACE_SETTINGS/ 


GATEWAY 


(#PCDATA) 


The gateway IP address for the LAN or WAN interface. (Appears when 
output mode=full. is specified in API request.) 
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/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/INTERFACE. SETTINGS/ 
LEASE (#PCDATA) 


The lease for the LAN 


Dynamic for DHCP. (Appears when output_mode=ful 


request.) 


or WAN interface: Static for a static IP address or 


. is specified in API 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/INTERFACE_SETTINGS/ 


IPV6 ADDRESS (#PCDATA) 


The LAN Pv5 address, 
in API reguest. 


< 


if any. (Appears when output mode=full. is specified 


/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/AP 


SPEED (#PCDATA) 


The speed of 
is specified in 


PLIANCE/INTERFACE_SETTINGS/ 


the LAN or WAN interface. (Appears when output mode=full. 
API request. 


/APPLIANCE_LIST_O 
DUPLEX (#PCDATA 


UTPUT/RESPONSE/APPLIANCE_LIST/AP 


AE 


ANCE/INTERFACE. SETT 


The duplex setting for the LAN or WAN port links: Fu 
or Unknown. (Appears when output mode=full. is sp 


PINGS/ 


1 Duplex, Half Duplex, 
ecified in API reguest.) 


/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/INTERFACE, SETTINGS/ 
DNS (DOMAIN?, PRIMARY, SECONDARY) 
/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/INTERFACE_SETTINGS/ 
DNS/DOMAIN (#PCDATA) 


The domain name of the 
specified in API request.) 


DNS server. (Appears when ou 


tput_mode=full. is 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/INTERFACE_SETTINGS/ 

DNS/PRIMARY (#PCDATA) 

The IP address of the primary DNS server. (Appears when 
output mode=full. is specified in API request.) 

/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/INTERFACE_SETTINGS/ 

DNS/SECONDARY (#PCDATA 
The IP address of the secondary DNS server. (Appears when 
output mode=full. is specified in API request.) 

/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/PROXY_SETTINGS 
(SETTING, PROXY* 

/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/PROXY_SETTINGS/PROXY 
(PROTOCOL?, IP_ADDRESS?, HOSTNAME?, PORT, USER) 

These elements appear as applicable only when the API request includes 
the parameter output_mode=full. 

/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/IS. CLOUD. DEPLOYED (4PCDATA) 
Set to 1 when virtual appliance is deployed on cloud platform. (Appears 
when output mode=full. is specified in API reguest.) 

/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE. LIST/APPLIANCE/CLOUD INFO 
(PLATFORM. PROVIDER, EC2 INFO?, GCE INFO?, AZURE INFO?) 

/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/CLOUD INFO/ 

PLATFORM. PROVIDER (#PCDATA) 

Platform provider, one of: ec2, azure, gce. (Appears when 
output mode=full. is specified in API reguest.). 
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/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/A 


PPL 
(INSTANCE_ID, INSTANCE_TYPE 


= > 


INSTANCE_REGION, INSTANCE_AVAILABILITY_ZONE, 
INSTANCE_ZONE_TYPE, INSTANC 


ANC 


E/CLOUD_INFO/EC2_INFO 
KERNEL ID?, AMI ID, ACCOUNT. ID, 


E VPC ID?, INSTANCE_SUBNET_ID?, 


IP ADDRESS PRIVATE?, HOSTNAME. PRIVATE?, SECURITY GROUPS?, 


API PROXY. SETTINGS) 


/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE. LIST/APPLIANCE/CLOUD INFO/EC2 INFO/ 
INSTANCE ID (#PCDATA) 
EC2 instance ID. (Appears when output mode=full is specified in API 
reguest). 
/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE. LIST/APPLIANCE/CLOUD INFO/EC2 INFO/ 
INSTANCE_TYPE (#PCDATA) 
EC2 instance type. (Appears when output_mode=full is specified in API 
request). 
/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/EC2_INFO/ 
KERNEL_ID (#PCDATA) 
EC2 kernel ID. (Appears when output_mode=full is specified in API request). 
/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/EC2_INFO/ 
AMI_ID (#PCDATA) 
EC2 AMI ID. (Appears when output mode=full is specified in API request). 
/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE. LIST/APPLIANCE/CLOUD INFO/EC2 INFO/ 
ACCOUNT. ID (#PCDATA 
EC2 account ID. (Appears when output mode=full is specified in API 
request). 
/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/EC2_INFO/ 
INSTANCE_REGION (#PCDATA) 
EC2 instance region. (Appears when output_mode=full is specified in API 
request). 
/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/EC2_INFO/ 


INSTANCE_AVAILABILITY_ZONE (#PCDATA) 


EC2 instance availability zone.(Appears when output mode=full is specified 


in API request). 


/APPLIANCE_LIST_OUT 
INSTANCE_ZONE_TYP 


FPUT/RESPONSE/APPLIANCE. LIST/APPLIAN 
E (4PCDATA) 


API request). 


CE/CLOUD_INFO/EC2_INFO/ 


EC2 instance zone type. (Appears when output_mode=full is specified in 


/APPLIANCE_LIS 
INSTANCE. VPC. 


OU 


PUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/EC2_INFO/ 
D (#PCDATA) 


EC2 instance VPC ID. (Appears when output mode=full is specified in API 


request). 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/EC2_INFO/ 


INSTANCE_SUB 


ET_ID (#PCDATA) 


EC2 instance subnet ID. (Appears when output mode=full is specified in 


API request). 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/EC2_INFO/ 
IP ADDRESS PRIVATE (#PCDATA) 


EC2 instance private IP address. (Appears when output mode=full is 


specified in API request). 
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/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/CLOUD INFO/EC2. INFO/ 


HOSTNAME. PRIVATE (#PCDATA) 


EC2 instance private hostname. (Appears when output mode=full is 
specified in API request). 


/APPLIANCE_LIST_O 


PUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/EC2_INFO/ 


U 
SECURITY. GROUPS (SECURITY_GROUP_IDS?, SECURITY GROUP. NAMES?) 
U 


/APPLIANCE LIST O 


PUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/EC2_INFO/ 
SECURITY_GROUPS /SECURITY_GROUP_IDS (#PCDATA) 


EC2 instance security group IDs. (Appears when output mode=full is 
specified in API request). 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/EC2_INFO/ 


SECURITY_GROUPS /SECURITY_GROUP_NAMES (#PCDATA) 


EC2 instance security group names. (Appears when output_mode=full is 
specified in API request). 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/EC2_INFO/ 


API_PROXY_SETTINGS (SETTING, PROXY”) 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/EC2_INFO/ 


API_PROXY_SETTINGS/S 


ETTING (#PCDATA) 


“Enabled” when proxy settings are enabled for EC2 instance. (Appears when 
output_mode=full is specified in API request). 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/EC2_INFO/ 


API_PROXY_SETTINGS/PROXY 


PROTOCOL?, IP ADDRESS?, HOSTNAME?, PORT, USER) 


Elements appear as applicable only when output mode=full is specifed in 
API reguest. 


/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/CLOUD INFO/GCE INFO 


INSTANGCE ID, MACHINE_TYPE, PROJECT ID, PROJECT. NAME, 
PREEMPTIBLE, INSTANCE. ZONE, IP ADDRESS. PRIVATE?, 
HOSTNAME. PRIVATE?, IP ADDRESS PUBLIC?, 

NSTANCE NETWORK, GCE INSTANCE TAGS) 


/APPLIANCE LIST OUTP 
INSTANGCE ID (#PCDATA 


UT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/GCE_INFO/ 


GCE instance ID. (Appears when output_mode=full is specified in API 
request). 


/APPLIANCE_LIST_OUTP 


MACHINE_TYPE (#PCDATA 


UT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/GCE_INFO/ 


GCE instance machine type. (Appears when output mode=full is specified 
in API request). 


/APPLIANCE_LIST_OUTP 
PROJECT. ID (#PCDATA) 


UT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/GCE_INFO/ 


GCE instance project ID. (Appears when output mode=full is specified in 
API request). 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/GCE_INFO/ 


PROJECT_NAME (#PCDATA) 


GCE instance project name. (Appears when output_mode=full is specified 
in API request). 
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/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE. LIST/APPLIANCE/CLOUD INFO/GCE. INFO/ 
PREEMPTIBLE (#PCDATA) 


GCE instance preemptible flag, set to TRUE or FALSE. (Appears when 
output mode=full is specified in API request). 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/GCE_INFO/ 
INSTANCE_ZONE (#PCDATA) 


GCE instance zone (Appears when output_mode=full is specified in API 
request). 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/GCE_INFO/ 


IP ADDRESS PRIVATE (#PCDATA) 


GCE instance private IP address. (Appears when output mode=full is 
specified in API request). 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/GCE_INFO/ 


HOSTNAME_PRIVATE (#PCDATA) 


GCE instance private hostname. (Appears when output mode=full is 
specified in API request). 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/GCE_INFO/ 


IP ADDRESS. PUBLIC (#PCDATA) 


GCE instance pubic IP address. (Appears when output mode=full is 
specified in API request). 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/GCE_INFO/ 


INSTANCE_NETWORK (#PCDATA) 


GCE instance network, set to default or a network name. (Appears when 
output_mode=full is specified in API request). 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/GCE_INFO/ 

GCE INSTANCE TAGS (GCE_INSTANCE_TAG*) 

/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE. LIST/APPLIANCE/CLOUD INFO/GCE. INFO/ 

GCE INSTANCE TAGS/GCE INSTANCE. TAG (TAG ID) 

/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE. LIST/APPLIANCE/CLOUD INFO/GCE. INFO/ 

GCE INSTANCE TAGS/GCE INSTANCE. TAG/TAG ID (#PCDATA 
GCE instance tag. (Appears when output mode=full is specified in API 
reguest). 

/APPLIANCE. LIST. OUTP 


UT/RESPONSE/APPLIANCE. LIST/APPLIANCE/CLOUD INFO/AZURE INFO 


(INSTANCE ID, USER. NAME, INSTANGCE LOCATION, DEPLOYMENT. MODE, 
IP ADDRESS PRIVATE?, HOSTNAME. PRIVATE?) 


/APPLIANCE LIST OUTP 
INSTANCE. ID (#PCDATA 


UT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/AZURE_INFO/ 


Azure instance ID. (Appears when output_mode=full is specified in API 
request). 


/APPLIANCE_LIST_OUTP 
USER_NAME, (#PCDATA) 


UT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/AZURE_INFO/ 


Azure user name. (Appears when output_mode=full is specified in API 
request). 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/AZURE_INFO/ 


INSTANCE_LOCATION (#PCDATA) 


Azure instance location. (Appears when output mode=full is specified in 
API request). 
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/APPLIAN 


DEPLOYMENT. MODE (#PCDATA) 


CE LIST OUTPUT/RESPONSE/APPLIANCE. LIST/APPLIANCE/CLOUD INFO/AZURE INFO/ 


Azure instance deployment mode. (Appears when output mode=full is 
specified in API request). 


ANGEMIS MOUV 
DRESS_PRIVATE 


PUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/AZURE_INFO/ 


#PCDATA) 


Azure instance private IP address. (Appears when output mode=full is 
specified in API request). 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/CLOUD_INFO/AZURE_INFO/ 

HOSTNAME_PRIVATE (#PCDATA) 

Azure instance private hostname. (Appears when output_mode=full is 
specified in API request). 

/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/VLANS (SETTING, VLAN") 

/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/VLANS/SETTING (#PCDATA) 

A flag indicating whether VLANS are enabled: “enabled” or “disabled”. 
(Appears when output_mode=full. is specified in API request.) 

/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/VLANS/VLAN 
(ID, NAME, IP_ADDRESS?, NETMASK?, IPV6_ADDRESS?, IPV6_SLAAC?) 

/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/VLANS/VLAN/ID (#PCDATA) 

A VLAN ID. (Appears when output mode=full. is specified in API request.) 

/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/VLANS/VLAN/NAME 
A VLAN name. (Appears when output mode=full. is specified in API 
request. 

/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/VLANS/VLAN/ 

IP ADDRESS (#PCDATA) 

A valid IPv4 address for a VLAN. (Appears when output mode=full. is 
specified in API reguest.) 

/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/VLANS/VLAN/NETMASK (#PCDATA) 
A valid IPv4 netmask for a VLAN. (Appears when output mode=full. is 
specified in API reguest.) 

/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/VLANS/VLAN/ 


IPV6. ADDRESS (#PCDATA) 


A valid IPv6 address for a VLA 


specified in API reguest.) 


. (Appears when output mode=full is 


/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/VLANS/VLAN/IPV6. SLAAC EMPTY 
An empty value indicates that ipv6 auto was specified for auto-configuring 
IPv6 using SLAAC on the VLAN. 

/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/STATIC ROUTES (ROUTE*) 

/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/STATIC. ROUTES/ROUTE 
(NAME, IP ADDRESS?, NETMASK?, GATEWAY?, IPV6_ADDRESS?, 
IPV6_NETWORK?, IPV6_GATEWAY?) 

/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/STATIC. ROUTES/ROUTE/ 

NAME (4PCDATA) 


A static route name. (Appears when output mode=full. is specified in API 


reguest.) 
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/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE. LIST/APPLIANCE/STATIC. ROUTES/ROUTE/ 


IP ADDRESS (4PCDATA) 


A target IPv4 network for a static route. (Appears when output mode=full. 
is specified in API reguest.) 


/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE. LIST/APPLIANCE/STATIC. ROUTES/ROUTE/ 


NETMASK (4PCDATA) 


A netmask for a static route. (Appears when output mode=full. is specified 
in API reguest.) 


/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE. LIST/APPLIANCE/STATIC. ROUTES/ROUTE/ 


GATEWAY (#PCDATA) 


A gateway IPv4 address for a static route. (Appears when 
output mode=full. is specified in API request.) 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/STATIC_ROUTES/ROUTE/ 


IPV6 ADDRESS (*PCDATA) 


A valid IPv6 address for a static route. (Appears when output mode=full. is 
specified in API reguest.) 


/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE. LIST/APPLIANCE/STATIC. ROUTES/ROUTE/ 


IPV6 NETWORK (#PCDATA) 


A target IPv6 network for a static route. (Appears when output mode=full. 
is specified in API reguest.) 


/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE. LIST/APPLIANCE/STATIC. ROUTES/ROUTE/ 


IPV6 GATEWAY (#PCDATA) 


A gateway IPv6 address for a static route. (Appears when 
output mode=full. is specified in API request. 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/ML_LATEST (#PCDATA) 


The latest scanning engine version available. (Appears when 
output_mode=full. is specified in API request. 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/ML_VERSION (#PCDATA) 


attribute: updated 


The scanning engine version currently installed on the scanner appliance. 
(Appears when output_mode=full. is specified in API request.) 


“yes” indicates the appliance is updated with the latest version. 


/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/VULNSIGS_LATEST (#PCDATA) 


The latest vulnerability signatures version available. (Appears when 
output_mode=full. is specified in API request. 


/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/VULNSIGS VERSION (#PCDATA) 


attribute: updated 


he vulnerability signatures version currently installed on the scanner 
appliance. (Appears when output mode=full. is specified in API reguest.) 


u 


yes” indicates the appliance is updated with the latest version. 


/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/ASSET. GROUP COUNT (#PCDATA) 


The number of asset groups that the scanner appliance belongs to. 
(Appears when output mode=full. is specified in API reguest.) 
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/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/ASSET. GROUP LIST 
(ASSET. GROUP* 

/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/ASSET. GROUP LIST/ 

ASSET. GROUP (ID, NAME 

/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/ASSET. GROUP LIST/ 

ASSET_GROUP/ID (4PCDATA) 

The ID of an asset group that the appliance belongs to. (Appears when 
output mode=full. is specified in API request.) 

/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/ASSET_GROUP_LIST/ 

ASSET_GROUP/NAME (#PCDATA 
The name of an asset group that the appliance belongs to. (Appears when 
output mode=full. is specified in API request.) 

/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/ASSET_TAGS_LIS 

(ASSET_TAG?) 

/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/ASSET_TAGS_LIST/ 

ASSET_TAG (UUID, NAME) 

/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/ASSET_TAGS_LIST/ 

ASSET_TAG/UUID (4PCDATA) 

The asset tag UUID. (Appears when output_mode=full. is specified in API 
request.) 

/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/ASSET_TAGS_LIST/ 

ASSET_TAG/NAME — (*PCDATA) 

The asset tag name. (Appears when output_mode=full. is specified in API 
request.) 

/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/LAST UPDATED DATE  (*PCDATA) 
The last date and time when the scanner appliance received a software 
update. (Appears when output mode=full. is specified in API request.) 

/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/POLLING_INTERVAL (#PCDATA) 
The polling interval defined for the scanner appliance. (Appears when 
output_mode=full. is specified in API request. 

/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/USER_LOGIN (#PCDATA) 

The user login. (Appears when output_mode=full. is specified in API 
request.) 

/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/HEARTBEATS MISSED (#PCDATA) 
The number of heartbeat checks missed. (Appears when output mode=full. 
is specified in API request.) 

/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/SS_CONNECTION (#PCDATA) 

The new scanner services status: connected or not connected. (Appears 
when output mode=full. is specified in API request.) 

/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/SS_LAST_CONNECTED (#PCDATA) 
The last date/time when new scanner services connected. (Appears when 
output mode=full. is specified in API request.) 

/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/FDCC ENABLED (#PCDATA) 

A flagindicating whether the FDCC module is enabled on the appliance. 
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/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/UPDATED  (*PCDATA) 
A flagindicating whether the appliance is updated with the latest scanning 
engine software and vulnerability signatures software: “yes” or “no”. 
(Appears when output mode=full. is specified in API request.) 
/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/RUNNING SCANS  (SCAN+) 
/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE. LIST/APPLIANCE/RUNNING. SCANS/SCAN 
(ID, TITLE, REF, TYPE, SCAN. DATE) 
/APPLIANCE. LIST. OUTPUT/RESPONSE/APPLIANCE. LIST/APPLIANCE/RUNNING. SCANS/SCAN/ 
ID (#PCDATA) 
The scan ID of a currently scan running on the scanner appliance. 
/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE. LIST/APPLIANCE/RUNNING. SCANS/SCAN/ 
TITLE (#PCDATA) 
The title of a currently scan running on the scanner appliance. 
/APPLIANCE_LIST_OUTPUT/RESPONSE/APPLIANCE_LIST/APPLIANCE/RUNNING_SCANS/SCAN/ 
REF (#PCDATA) 
The scan reference ID for a currently scan running on the scanner 
appliance. 
/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE. LIST/APPLIANCE/RUNNING. SCANS/SCAN/ 
TYPE (#PCDATA) 
The scan type of a scan currently running on the scanner appliance. The 
scan type will be one of: Vulnerability Scan, Compliance Scan, Web 
Application Scan, FDCC Scan, or Map. 
/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE. LIST/APPLIANCE/RUNNING. SCANS/SCAN/ 
SCAN DATE (#PCDATA) 
The date and time when the currently running scan was launched. 
/APPLIANCE LIST OUTPUT/RESPONSE/APPLIANCE LIST/APPLIANCE/MAX CAPACITY UNITS (#PCDATA) 
The percentage of capacity available for the scanner appliance. (Appears 
when output mode=full. is specified in API reguest.) 
/APPLIANCE LIST OUTPUT/RESPONSE/LICENSE INFO 
(OVSA. LICENSES. COUNT, OVSA LICENSES USED) 
/APPLIANCE LIST OUTPUT/RESPONSE/LICENSE INFO /OVSA LICENSES COUNT (4PCDATA) 
The number of virtual scanner licenses available in your account. 
/APPLIANCE LIST OUTPUT/RESPONSE/LICENSE INFO /OVSA LICENSES USED (#PCDATA) 
The number of virtual scanner licenses that have been used. 


Scanner Appliance Create Output 


A 


PI used 


<platform API server>/api/2.0/fo/appliance/ with action=create 


DTD for Scanner Appliance Create Output 


<platform API server>/api/2.0/fo/appliance/appliance create output.dtd 


A recent DTD is below. 


90 


Gualys API (VM, PC) XML/DTD Reference 
Chapter 3 - Scan Configuration XML 


<!-- QUALYS APPLIANCE CREATE OUTPUT DTD --> 

<!ELEMENT APPLIANCE CREATE OUTPUT (REQUEST?, RESPONSE) > 

<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 

<!ELEMENT DATETIME (#PCDATA) > 

<!ELEMENT USER LOGIN (#PCDATA) > 

<!ELEMENT RESOURCE (#PCDATA) > 

<!ELEMENT PARAM LIST (PARAM+) > 

<!ELEMENT PARAM (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 

<!ELEMENT VALUE (#PCDATA) > 

<!-- if returned, POST DATA will be urlencoded --> 

<!ELEMENT POST DATA (#PCDATA) > 

<!ELEMENT RESPONSE (DATETIME, APPLIANCE) > 

<!ELEMENT APPLIANCE (ID, FRIENDLY NAME, ACTIVATION CODE, 

REMAINING OVSA LICENSES) > 

<!ELEMENT ID (#PCDATA) > 

<!ELEMENT FRIENDLY NAME (#PCDATA) > 

<!ELEMENT ACTIVATION CODE (#PCDATA) > 

<!ELEMENT REMAINING QVSA LICENSES (#PCDATA) > 


XPaths for Scanner Appliance Create Output 


XPath element specifications / notes 
/APPLIANCE_CREATE_OUTPU (REQUEST?,RESPONSE) 
/APPLIANCE_CREATE_OUTPUT/REQUEST 
(DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA?) 
/APPLIANCE_CREATE_OUTPUT/REQUEST/DATETIME (#PCDATA) 
The date and time of the API request. (This element appears only when the 
API request includes the parameter echo_request=1.) 
/APPLIANCE_CREATE_OUTPUT/REQUEST/USER_LOGIN (#PCDATA) 
The user login ID of the user who made the request. (This element appears 
only when the API request includes the parameter echo_request=1.) 
/APPLIANCE_CREATE_OUTPUT/REQUEST/RESOURCE — (*PCDATA) 
The resource specified for the request. (This element appears only when 
the API request includes the parameter echo_request=1.) 
/APPLIANCE CREATE OUTPUT/REOUEST/PARAM LIST (PARAM+) 
/APPLIANCE CREATE OUTPUT/REOUEST/PARAM LIST/PARAM (KEY, VALUE) 
/APPLIANCE CREATE OUTPUT/REOUEST/PARAM LIST/PARAM/KEY  (#PCDATA) 
An input parameter name. (This element appears only when the API 
reguest includes the parameter echo reguest=1.) 
/APPLIANCE CREATE OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE  (#PCDATA) 


An input parameter 
includes the parame 


value. This element appears only when the API reguest 
ter echo reguest=1. 
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element specifications / notes 


/APPLIANCE CREATE OUTPUT/REOUEST/POST DATA — (4PCDATA) 


The POST data, if any. (This element appears only when the API reguest 
includes the parameter echo reguest=1.) 


REATE OUTPUT/RESPONSE (DATETIME, APPLIANCE) 


/APPLIANCE 


REATE OUTPUT/RESPONSE/DATETIME (#PCDATA) 


The date and time of the Qualys response. 


/APPLIANCE CREATE OUTPUT/RESPONSE/APPLIANCE 


(ID, FRIENDLY. NAME, ACTIVATION. CODE, REMAINING_QVSA_LICENSES) 


/APPLIANCE CREATE OUTPUT/RESPONSE/APPLIANCE/ID (#PCDATA) 


[he scanner appliance ID. 


/APPLIANCE CREATE OUTPUT/RESPONSE/APPLIANCE/FRIENDLY NAME (#PCDATA) 


The friendly name of the scanner appliance. 


/APPLIANCE CREATE OUTPUT/RESPONSE/APPLIANCE/ACTIVATION CODE (4PCDATA) 


[he activation code for the scanner appliance. 


/APPLIANCE_CREATE_OUTPUT/RESPONSE/APPLIANCE/REMAINING_QVSA_LICENSES (#PCDATA) 


[The number of remaining virtual scanner license in your account. 


Replace Scanner Appliance Output 


API used 
<platform API 


server>/api/2.0/fo/appliance/ with action=replace_iscanner 


DTD for Replace Scanner Appliance Output 


<platform API server>/api/2.0/fo/appliance/replace_iscanner/ 
replace_iscanner_output.dtd 
A recent DTD is below. 
<!-- QUALYS REPLACE ISCANNER OUTPUT DTD --> 
<!-- $Revision$ --> 
<!ELEMENT SCANNER_REPLACE OUTPUT (REQUEST?, RESPONSE) > 
<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 
<!ELEMENT DATETIME (#PCDATA) > 
<!ELEMENT USER LOGIN (#PCDATA) > 
<!ELEMENT RESOURCE (#PCDATA) > 
<!ELEMENT PARAM LIST (PARAM+) > 
<!ELEMENT PARAM (KEY, VALUE)> 
<!ELEMENT KEY (#PCDATA) > 
<!ELEMENT VALUE (#PCDATA) > 
<!-- if returned, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 
<!ELEMENT RESPONSE (DATETIME, NEW SETTINGS?, SCHEDULED SCANS?, 
ASSET GROUPS?, SUCCESS?) > 
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TINGS (#PCDATA)> 


<!ELEMENT NEW SET 
<!ELEMENT SCHEDU 
<!ELEMENT ASSET G 
<!ELEMENT SUCCESS 
<= KOE ==> 


ED SCANS (#PCDATA) > 


ROUPS (#PCDATA) > 
(#PCDATA) > 


XPaths for Replace Scanner Appliance Output 


XPath element specifications / notes 
/SCANNER_REPLACE_OUTPUT (REQUEST?, RESPONSE) 
/SCANNER_REPLACE_OUTPUT/REQUEST 
(DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA?) 
/SCANNER_REPLACE_OUTPUT/REQUEST/DATETIME (#PCDATA) 
The date and time of the request. 
/SCANNER REPLACE OUTPUT/REOUEST/USER LOGIN (#PCDATA) 

The user login ID of the user who made the reguest. 
/SCANNER_REPLACE_OUTPUT/REQUEST/RESOURCE — (*PCDATA) 

The resource specified for the request. 
/SCANNER_REPLACE_OUTPUT/REQUEST/PARAM_LIST  (PARAM+) 
/SCANNER_REPLACE_OUTPUT/REQUEST/PARAM_LIST/PARAM (KEY, VALUE) 
/SCANNER_REPLACE_OUTPUT/REQUEST/PARAM_LIST/PARAM/KEY — (4PCDATA) 

The input parameter name. 
/SCANNER_REPLACE_OUTPUT/REQUEST/PARAM_LIST/PARAM/VALUE  (#PCDATA) 

The input parameter value. 

/SCANNER REPLACE OUTPUT/REOUEST/POST DATA  (*PCDATA) 

The POST data. 
/SCANNER_REPLACE_OUTPUT/RESPONSE 

(DATETIME, NEW_SETTINGS?, SCHEDULED_SCANS?, ASSET_GROUPS?, 

SUCCESS?) 
/SCANNER_REPLACE_OUTPUT/RESPONSE/DATETIME (#PCDATA) 

The date and time of the response. 
/SCANNER_REPLACE_OUTPUT/RESPONSE/NEW_SETTINGS (#PCDATA) 

The scanner appliance settings transferred from the old scanner appliance 

to the new scanner appliance. 
/SCANNER_REPLACE_OUTPUT/RESPONSE/SCHEDULED_SCANS (#PCDATA) 

The scheduled scans updated with the new scanner appliance. 
/SCANNER_REPLACE_OUTPUT/RESPONSE/ASSET_GROUPS (#PCDATA) 

The asset groups updated with the new scanner appliance. 
/SCANNER_REPLACE_OUTPUT/RESPONSE/SUCCESS (#PCDATA) 


The success message. 
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Static Search List Output 


API used 
<platform API server>/api/2.0/fo/gid. search, list/static/?action=list 


DTD for Static Search List Output 
<platform API server>/api/2.0/fo/gid/search, list/static/static list output.dtd 
A recent DTD is below. 


<!-- QUALYS STATIC SEARCH LIST OUTPUT DTD --> 


<!ELEMENT STATIC SEARCH LIST OUTPUT (REOUEST?, RESPONSE) > 
<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 

<!ELEMENT DATETIME (#PCDATA) > 

<!ELEMENT USER LOGIN (#PCDATA) > 

<!ELEMENT RESOURCE (#PCDATA) > 

<!ELEMENT PARAM LIST (PARAM+) > 

<!ELEMENT PARA (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 

<!ELEMENT VALUE (#PCDATA) > 

<!-- if returned, POST DATA will be urlencoded --> 

<!ELEMENT POST DATA (#PCDATA) > 


Z H 2 ee 


<!ELEMENT RESPONSE (DATETIME, STATIC LISTS?)> 

<!ELEMENT STATIC LISTS (STATIC LIST+)> 

<!ELEMENT STATIC LIST (ID, TITLE, GLOBAL, OWNER, CREATED?, MODIFIED BY?, 
ODIFIED?, QIDS?, OPTION PROFILES?, 

REPORT TEMPLATES?, REMEDIATION POLICIES?, 
DISTRIBUTION GROUPS?, COMMENTS?) > 


ENT TITLE (#PCDATA) > 
ENT GLOBAL (#PCDATA) > 
PCDATA) > 
(#PCDATA) > 
B 


<!ELE D BY (#PCDATA) > 
<!ELEMENT MODIFIED (#PCDATA) > 
<!ELEMENT QIDS (QID+)> 


Q 

OPTION PROFILES (OPTION PROFILE+) > 

OPTION PROFILE (ID, TITLE)> 
<!ELEMENT REPORT TEMPLATES (REPORT TEMPLATE+) > 

R E 

R 

R 


EPORT TEMPLATE (ID, TITLE)> 


EMEDIATION POLICIES (REMEDIATION POLICY+)> 


M 

M 

M EMEDIATION POLICY (1D, TITLE)> 
<!ELEMENT DISTRIBUTION GROUPS (DISTRIBUTION GROUP+)> 

M 

M 

M 


ENT DISTRIBUTION GROUP (NAME) > 
ENT NAME (#PCDATA) > 
ENT COMMENTS (#PCDATA) > 
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XPaths for Static Search List Output 


XPath element specifications / notes 
(STATIC. SEARCH LIST OUTPUT (REQUEST?, RESPONSE) 


(STATIC. SEARCH LIST. OUTPUT/REOUEST 
(DATETIME, USER. LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 


(STATIC SEARCH LIST OUTPUT/REOUEST/DATETIME (#PCDATA) 


The date and time of the request. 
(STATIC SEARCH LIST OUTPUT/REOUEST/USER LOGIN (#PCDATA) 


The user login ID of the user who made the reguest. 
(STATIC. SEARCH LIST OUTPUT/REOUEST/RESOURCE — (4PCDATA) 


The resource specified for the reguest. 
(STATIC SEARCH LIST OUTPUT/REOUEST/PARAM LIST (PARAM+) 


(STATIC SEARCH LIST OUTPUT/REOUEST/PARAM LIST/PARAM (KEY, VALUE) 
(STATIC SEARCH LIST OUTPUT/REOUEST/PARAM LIST/PARAM/KEY (#PCDATA) 


The input parameter name. 
(STATIC SEARCH LIST OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE (#PCDATA) 


The input parameter value. 

(STATIC SEARCH LIST OUTPUT/REOUEST/POST. DATA — (4PCDATA) 
The POST data. 
/STATIC SEARCH LIST OUTPUT/RESPONSE (DATETIME, STATIC. LISTS?) 
(STATIC. SEARCH LIST. OUTPUT/RESPONSE/DATETIME (#PCDATA) 

The date and time of the response. 
/STATIC_SEARCH_LIST_OUTPUT/RESPONSE/STATIC_LISTS (STATIC_LIST+) 
/STATIC_SEARCH_LIST_OUTPUT/RESPONSE/STATIC_LISTS/STATIC_LIST 


(ID, TITLE, GLOBAL, OWNER, CREATED?, MODIFIED_BY?, MODIFIED?, 
QIDS?, OPTION_PROFILES?, REPORT. TEMPLATES?, 
REMEDIATION_POLICIES?, DISTRIBUTION_GROUPS?, COMMENTS?) 


/STATIC_SEARCH_LIST_OUTPUT/RESPONSE/STATIC_LISTS/STATIC_LIST/ID (#PCDATA) 
Search list ID. 
/STATIC_SEARCH_LIST_OUTPUT/RESPONSE/STATIC_LISTS/STATIC_LIST/TITLE (4PCDATA) 
Search list title. 


/STATIC_SEARCH_LIST_OUTPUT/RESPONSE/STATIC_LISTS/STATIC_LIST/OWNER (#PCDATA) 


Owner of the search list. 
/STATIC_SEARCH_LIST_OUTPUT/RESPONSE/STATIC_LISTS/STATIC_LIST/GLOBAL (#PCDATA) 
Set to Yes for a global search list, or No. 
/STATIC_SEARCH_LIST_OUTPUT/RESPONSE/STATIC_LISTS/STATIC_LIST/CREATED (#PCDATA) 


Search list creation date. 
/STATIC_SEARCH_LIST_OUTPUT/RESPONSE/STATIC_LISTS/STATIC_LIST/MODIFIED_BY (#PCDATA) 


User who modified the search list. 
/STATIC_SEARCH_LIST_OUTPUT/RESPONSE/STATIC_LISTS/STATIC_LIST/MODIFIED (#PCDATA) 
Date the search list was modified. 
/STATIC_SEARCH_LIST_OUTPUT/RESPONSE/STATIC_LISTS/STATIC_LIST/QIDS (QID+) 
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XPath element specifications / notes 
(STATIC. SEARCH LIST OUTPUT/RESPONSE/STATIC LISTS/STATIC LIST/OID (QID) 
(STATIC. SEARCH LIST. OUTPUT/RESPONSE/STATIC LISTS/STATIC. LIST/OIDS/OID (#PCDATA) 

OID included in the search list. 

(STATIC. SEARCH LIST OUTPUT/RESPONSE/STATIC. LISTS/STATIC. LIST/OPTION. PROFILE 
(OPTION. PROFILE+) 

(STATIC SEARCH LIST. OUTPUT/RESPONSE/STATIC. LISTS/STATIC. LIST/OPTION. PROFILES/ 
OPTION PROFILE (ID, TITLE) 

(STATIC. SEARCH LIST. OUTPUT/RESPONSE/STATIC. LISTS/STATIC. LIST/OPTION. PROFILES/ 
OPTION PROFILE/ID (#PCDATA) 

ID of the option profile where the search list is defined. 

(STATIC. SEARCH. LIST OUTPUT/RESPONSE/STATIC. LISTS/STATIC. LIST/OPTION. PROFILES/ 
OPTION PROFILE/TITLE (#PCDATA) 

Title of an option profile title where the search list is defined. 
(STATIC. SEARCH LIST. OUTPUT/RESPONSE/STATIC. LISTS/STATIC. LIST/REPORT. TEMPLATES 
(REPORT. TEMPLATE+ 
(STATIC. SEARCH LIST OUTPUT/RESPONSE/STATIC. LISTS/STATIC. LIST/REPORT. TEMPLATES/ 
REPORT. TEMPLATE (ID, TITLE) 

(STATIC. SEARCH LIST OUTPUT/RESPONSE/STATIC. LISTS/STATIC. LIST/REPORT. TEMPLATES/ 
REPORT. TEMPLATE/ID (#PCDATA) 

ID of a report template where the search list is defined 
/STATIC_SEARCH_LIST_OUTPUT/RESPONSE/STATIC_LISTS/STATIC_LIST/REPORT_TEMPLATES/ 
REPORT. TEMPLATE/TITLE — (*PCDATA) 

Title of a report template where of the search list is defined. 
/STATIC_SEARCH_LIST_OUTPUT/RESPONSE/STATIC_LISTS/STATIC_LIST/REMEDIATION_POLICIES 
(REMEDIATION_POLICY+) 
/STATIC_SEARCH_LIST_OUTPUT/RESPONSE/STATIC_LISTS/STATIC_LIST/REMEDIATION_POLICIES/ 
REMEDIATION_POLICY (ID, TITLE) 
/STATIC_SEARCH_LIST_OUTPUT/RESPONSE/STATIC_LISTS/STATIC_LIST/REMEDIATION_POLICIES/ 
REMEDIATION POLICY/ID — (*PCDATA) 

ID of a remediation policy where the search list is defined. 
/STATIC_SEARCH_LIST_OUTPUT/RESPONSE/STATIC_LISTS/STATIC_LIST/REMEDIATION_POLICIES/ 
REMEDIATION POLICY/TITLE (#PCDATA) 

Title of a remediation policy where the search list is defined. 
/STATIC_SEARCH_LIST_OUTPUT/RESPONSE/STATIC_LISTS/STATIC_LIST/DISTRIBUTION_GROUPS 
(DISTRIBUTION_GROUP+) 
/STATIC_SEARCH_LIST_OUTPUT/RESPONSE/STATIC_LISTS/STATIC_LIST/DISTRIBUTION_GROUPS/ 
DISTRIBUTION_GROUP (NAME) 
/STATIC_SEARCH_LIST_OUTPUT/RESPONSE/STATIC_LISTS/STATIC_LIST/DISTRIBUTION_GROUPS/ 
DISTRIBUTION_GROUP/NAME — (*PCDATA) 

Name of a distribution group where the search list is defined. 
/STATIC_SEARCH_LIST_OUTPUT/RESPONSE/STATIC_LISTS/STATIC_LIST/COMMENTS (4PCDATA) 

User defined comments. 
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Dynamic Search List Output 


API used 
<platform API server>/api/2.0/fo/gid search list/dynamic/?action=list 


DTD for Dynamic Search List Output 
<platform API server>/api/2.0/fo/gid/search list/dynamic/dynamic list output.dtd 
A recent DTD is below. 


<!-- QUALYS DYNAMIC SEARCH LIST OUTPUT DTD --> 


<!ELEMENT DYNAMIC SEARCH LIST OUTPUT (REQUEST?, RESPONSE) > 


<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 

<!ELEMENT DATETIME (#PCDATA) > 

<!ELEMENT USER LOGIN (#PCDATA) > 

<!ELEMENT RESOURCE (#PCDATA) > 

<!ELEMENT PARAM LIST (PARAM+) > 

<!ELEMENT PARAM (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 

<! ELEM 


zo] 


ENT VALUE (#PCDATA)> 
<!-- if returned, POST DATA will be urlencoded --> 
E 


<!ELEMENT POST DATA ( PCDATA) > 


<!ELEMENT RESPONSE (DATETIME, DYNAMIC LISTS?)> 

<!ELEMENT DYNAMIC LISTS (DYNAMIC LIST+) > 

<!ELEMENT DYNAMIC LIST (ID, TITLE, GLOBAL, OWNER, CREATED?, MODIFIED BY?, 
MODIFIED?, OIDS?, CRITERIA, OPTION PROFILES?, 
REPORT TEMPLATES?, REMEDIATION POLICIES?, 
DISTRIBUTION GROUPS?, COMMENTS?)> 


<!ELEMENT ID (#PCDATA) > 
<!ELEMENT TITLE (#PCDATA) > 
<!ELEMENT GLOBAL (#PCDATA) > 
M 
M 


<!ELE # PCDATA) > 

<!ELE (#PCDATA) > 
<!ELEMENT MODIFIED BY (#PCDATA) > 
<!ELEMENT MODIFI (#PCDATA) > 
<!ELEMENT OIDS (QID+)> 
<!ELEMENT QID (#PCDATA) > 
<!ELEMENT CRITERIA (VULNERABILITY TITLE?, DISCOVERY METHOD?, 
AUTHENTICATION TYPE?, USER CONFIGURATION?, CATEGORY?, 
CONFIRMED SEVERITY?, POTENTIAL SEVERITY?, 
INFORMATION SEVERITY?, VENDOR?, PRODUCT?, CVSS BASE SCORE?, 
CVSS_TEMPORAL SCORE?, CVSS3 BASE SCORE?, CVSS3 TEMPORAL SCORE?, 
CVSS ACCESS VECTOR?, PATCH AVAILABLE?, VIRTUAL PATCH AVAILABLE?, 
CVE ID?, EXPLOITABILITY?, ASSOCIATED MALWARE?, VENDOR_REFERENCE?, 
BUGTRAQ ID?, VULNERABILITY DETAILS?, SUPPORTED MODULES?, 
COMPLIANCE DETAILS?, COMPLIANCE TYPE?, QUALYS TOP 20?, OTHER?, 
NETWORK ACCE 


Hm HO 


SS?, PROVIDER?, CVSS BASE SCORE OPERAND?, 
CVSS TEMPORAL SCORE OPERAND?, CVSS3 BASE SCORE OPERAND?, 
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CVSS3 TEMPORAL SCORE OPERAND?, USER MODIFIED?, PUBLISHED?, 
SERVICE MODIFIED?, CPE?)> 
<!ELEMENT VULNERABILITY TITLE (#PCDATA) > 
<!ELEMENT DISCOVERY METHOD (#PCDATA) > 
<!ELEMENT AUTHENTICATION TYPE (#PCDATA) > 
<!ELEMENT USER CONFIGURATION (#PCDATA) > 
<!ELEMENT CATEGORY (#PCDATA) > 
<!ELEMENT CONFIRMED SEVERITY (#PCDATA) > 
<!ELEMENT POTENTIAL SEVERITY (#PCDATA) > 
<!ELEMENT INFORMATION SEVERITY (#PCDATA) > 
<!ELEMENT VENDOR (#PCDATA) > 
<!ELEMENT PRODUCT (#PCDATA) > 
<!ELEMENT CVSS BASE SCORE (#PCDATA) > 
<!ELEMENT CVSS TEMPORAL SCORE (#PCDATA) > 
<!ELEMENT CVSS ACCESS VECTOR (#PCDATA) > 
<!ELEMENT PATCH AVAILABLE (#PCDATA) > 
<!ELEMENT VIRTUAL PATCH AVAILABLE (#PCDATA) > 
<!ELEMENT CVE_ID (#PCDATA) > 
<!ELEMENT EXPLOITABILITY (#PCDATA) > 
<!ELEMENT ASSOCIATED MALWARE (#PCDATA) > 
<!ELEMENT VENDOR REFERENCE (#PCDATA) > 
<!ELEMENT BUGTRAQ ID (#PCDATA) > 
<!ELEMENT VULNERABILITY DETAILS (#PCDATA) > 
<!ELEMENT SUPPORTED MODULES (#PCDATA) > 
<!ELEMENT COMPLIANCE DETAILS (#PCDATA) > 
<!ELEMENT COMPLIANCE TYPE (#PCDATA) > 
<!ELEMENT QUALYS TOP 20 (#PCDATA) > 
<!ELEMENT OTHER (#PCDATA) > 
<!ELEMENT NETWORK ACCESS (#PCDATA) > 
<!ELEMENT PROVIDER (#PCDATA) > 
<!ELEMENT CVSS BASE SCORE OPERAND (#PCDATA) > 
<!ELEMENT CVSS TEMPORAL SCORE OPERAND (#PCDATA) > 
<!ELEMENT CVSS3 BASE SCORE (#PCDATA) > 
<!ELEMENT CVSS3 TEMPORAL SCORE (#PCDATA) > 
<!ELEMENT CVSS3 BASE SCORE OPERAND (#PCDATA) > 
<!ELEMENT CVSS3 TEMPORAL SCORE OPERAND (#PCDATA) > 
<!ELEMENT OPTION PROFILES (OPTION PROFILE+) > 
<!ELEMENT OPTION PROFILE (ID, TITLE)> 
<!ELEMENT REPORT TEMPLATES (REPORT TEMPLATE+) > 
<!ELEMENT REPORT TEMPLATE (ID, TITLE) > 
<!ELEMENT REMEDIATION POLICIES (REMEDIATION POLICY+) > 
<!ELEMENT REMEDIATION POLICY (ID, TITLE) > 
<!ELEMENT DISTRIBUTION GROUPS (DISTRIBUTION GROUP+) > 
<!ELEMENT DISTRIBUTION GROUP (NAME) > 
<!ELEMENT NAME (#PCDATA) > 
<!ELEMENT COMMENTS (#PCDATA) > 
<!ELEMENT USER MODIFIED (#PCDATA) > 
<!ELEMENT PUBLISHED (#PCDATA) > 
<!ELEMENT SERVICE MODIFIED (#PCDATA) > 
<!ELEMENT CPE (#PCDATA) > 
<!-- EOF --> 
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XPaths for Dynamic Search List Output 


XPath element specifications / notes 
/DYNAMIC. SEARCH LIST OUTPUT (REQUEST?, RESPONSE) 
/DYNAMIC. SEARCH LIST. OUTPUT/REOUEST 
(DATETIME, USER. LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 
/DYNAMIC SEARCH LIST OUTPUT/REOUEST/DATETIME — (*PCDATA) 

The date and time of the request. 
/DYNAMIC_SEARCH_LIST_OUTPUT/REQUEST/USER_LOGIN (#PCDATA) 

The user login ID of the user who made the request. 

/DYNAMIC SEARCH LIST OUTPUT/REOUEST/RESOURCE (#PCDATA) 
The resource specified for the reguest. 
/DYNAMIC SEARCH LIST OUTPUT/REOUEST/PARAM LIST (PARAM+) 
/DYNAMIC. SEARCH LIST OUTPUT/REOUEST/PARAM LIST/PARAM (KEY, VALUE) 
/DYNAMIC. SEARCH LIST OUTPUT/REOUEST/PARAM LIST/PARAM/KEY — (4PCDATA) 

The input parameter name. 

/DYNAMIC. SEARCH LIST OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE — (*PCDATA) 

The input parameter value. 

/DYNAMIC. SEARCH LIST OUTPUT/REOUEST/POST DATA (#PCDATA) 

The POST data. 

/DYNAMIC. SEARCH LIST OUTPUT/RESPONSE (DATETIME, DYNAMIC LISTS?) 
/DYNAMIC. SEARCH LIST. OUTPUT/RESPONSE/DATETIME (#PCDATA) 

The date and time of the response. 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS (DYNAMIC_LIST+) 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST 

(ID, TITLE, GLOBAL, OWNER, CREATED?, MODIFIED_BY?, MODIFIED?, 

QIDS?, CRITERIA, OPTION. PROFILES?, REPORT. TEMPLATES?, 

REMEDIATION. POLICIES?, DISTRIBUTION. GROUPS?, COMMENTS?) 
/DYNAMIC. SEARCH LIST. OUTPUT/RESPONSE/DYNAMIC LISTS/DYNAMIC LIST/ID (4PCDATA) 

Search list ID. 

/DYNAMIC. SEARCH LIST. OUTPUT/RESPONSE/DYNAMIC. LISTS/DYNAMIC LIST/TITLE (#PCDATA) 

Search list title. 

/DYNAMIC. SEARCH LIST OUTPUT/RESPONSE/DYNAMIC LISTS/DYNAMIC LIST/GLOBAL (#PCDATA) 

Set to Yes for a global search list, or No. 

/DYNAMIC. SEARCH LIST. OUTPUT/RESPONSE/DYNAMIC LISTS/DYNAMIC LIST/OWNER (4PCDATA) 

Owner of the search list 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CREATED (#PCDATA) 

Search list creation date. 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/MODIFIED_BY (#PCDATA) 

User who modified the search list. 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/MODIFIED (#PCDATA) 

Date the search list was modified. 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/QIDS (QID+) 
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One or more vendor product names. 


/DYNAMIC. SEARCH LIST. OUTPUT/RESPONSE/DYNAMIC LISTS/DYNAMIC LIST/CID (QID) 
/DYNAMIC. SEARCH LIST. OUTPUT/RESPONSE/DYNAMIC LISTS/DYNAMIC LIST/OIDS/OID (4PCDATA) 

OID included in the search list. 

/DYNAMIC. SEARCH LIST. OUTPUT/RESPONSE/DYNAMIC.  LISTS/DYNAMIC LIST/CRITERIA 

(VULNERABILITY_TITLE?, DISCOVERY. METHOD?, 

AUTHENTICATION TYPE?, USER. CONFIGURATION?, CATEGORY?, 

CONFIRMED. SEVERITY?, POTENTIAL SEVERITY?, 

INFORMATION SEVERITY?, VENDOR?, PRODUCT?, CVSS BASE SCORE?, 

CVSS. TEMPORAL SCORE?, CVSS3 BASE SCORE?, 

CVSS3 TEMPORAL SCORE?, CVSS ACCESS VECTOR?, PATCH. AVAILABLE?, 

VIRTUAL PATCH AVAILABLE?, CVE ID?, EXPLOITABILITY?, 

ASSOCIATED MALWARE?, VENDOR REFERENCE?, BUGTRAO ID?, 

VULNERABILITY_DETAILS?, SUPPORTED. MODULES?, 

COMPLIANCE DETAILS?, COMPLIANCE TYPE?, OUALYS TOP 20?, OTHER?, 

NETWORK ACCESS?, PROVIDER?, CVSS BASE SCORE OPERAND?, 

CVSS TEMPORAL SCORE OPERAND?, CVSS3 BASE SCORE OPERAND?, 

CVSS3 TEMPORAL SCORE OPERAND?, USER MODIFIED?, PUBLISHED?, 

SERVICE. MODIFIED?, CPE?) 

/DYNAMIC. SEARCH LIST. OUTPUT/RESPONSE/DYNAMIC  LISTS/DYNAMIC LIST/CRITERIA/ 
VULNERABILITY TITLE (#PCDATA) 

Vulnerability title. 

/DYNAMIC. SEARCH LIST. OUTPUT/RESPONSE/DYNAMIC. LISTS/DYNAMIC LIST/CRITERIA/ 
DISCOVERY METHOD (#PCDATA) 

Discovery method. 

/DYNAMIC. SEARCH LIST. OUTPUT/RESPONSE/DYNAMIC. LISTS/DYNAMIC LIST/CRITERIA/ 
AUTHENTICATION TYPE (#PCDATA) 

Authentication type. 

/DYNAMIC. SEARCH LIST. OUTPUT/RESPONSE/DYNAMIC. LISTS/DYNAMIC LIST/CRITERIA/ 
USER CONFIGURATION (#PCDATA) 

User configuration. 

/DYNAMIC. SEARCH LIST. OUTPUT/RESPONSE/DYNAMIC. LISTS/DYNAMIC. LIST/CRITERIA/CATEGORY 
(#PCDATA) 

Vulnerability category. 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CRITERIA/ 
CONFIRMED_SEVERITY (#PCDATA) 

One or more severities of confirmed vulnerabilities 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CRITERIA/ 
POTENTIAL_SEVERITY (#PCDATA 

One or more severities of potential vulnerabilities. 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CRITERIA/ 
INFORMATION_SEVERITY (#PCDATA 

One or more severities of information gathered. 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CRITERIA/VENDOR 
(#PCDATA 

One or more vendor IDs. 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CRITERIA/PRODUCT 
(#PCDATA 
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/DYNAMIC. SEARCH LIST OUTPUT/RESPONSE/DYNAMIC. LISTS/DYNAMIC LIST/CRITERIA/ 
CGVSS BASE. SCORE (4PCDATA) 

CVSS2 base score value 
/DYNAMIC. SEARCH. LIST. OUTPUT/RESPONSE/DYNAMIC. LISTS/DYNAMIC. LIST/CRITERIA/ 
CVSS TEMPORAL SCORE (#PCDATA) 

CVSS2 temporal score value. 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CRITERIA/ 
CVSS3_BASE_SCORE (#PCDATA) 

CVSS3 base score value 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CRITERIA/ 
CVSS3_TEMPORAL_SCORE (#PCDATA) 

CVSS3 temporal score value. 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CRITERIA/ 
CVSS_ACCESS_VECTOR (#PCDATA) 

Value of CVSS access vector. 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CRITERIA/ 
PATCH_AVAILABLE (#PCDATA) 

Set to Yes when vulnerabilities with patches are included in criteria. 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CRITERIA/ 
VIRTUAL_PATCH_AVAILABLE (#PCDATA) 

Set to Yes when vulnerabilities with Trend Micro virtual patches are 

included in criteria. 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CRITERIA/CVE_ID 
(#PCDATA) 

One or more CVE IDs. 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CRITERIA/ 
EXPLOITABILITY (#PCDATA 

One or more vendors with exploitability info. 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CRITERIA/ 
ASSOCIATED MALWARE (#PCDATA) 

One or more vendors with malware info. 

/DYNAMIC. SEARCH LIST OUTPUT/RESPONSE/DYNAMIC,. LISTS/DYNAMIC LIST/CRITERIA/ 
VENDOR REFERENCE (#PCDATA) 

One or more vendor references 
/DYNAMIC. SEARCH LIST OUTPUT/RESPONSE/DYNAMIC. LISTS/DYNAMIC LIST/CRITERIA/ 
BUGTRAO ID (4PCDATA) 

Bugtrag ID number assigned to vulnerabilities. 

/DYNAMIC. SEARCH LIST. OUTPUT/RESPONSE/DYNAMIC. LISTS/DYNAMIC LIST/CRITERIA/ 
VULNERABILITY DETAILS (#PCDATA) 

A string matching vulnerability details. 

/DYNAMIC. SEARCH LIST. OUTPUT/RESPONSE/DYNAMIC. LISTS/DYNAMIC LIST/CRITERIA/ 
SUPPORTED. MODULES (#PCDATA) 

One or more Qualys modules that can be used to detect the vulnerability. 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CRITERIA/ 
COMPLIANCE_DETAILS (#PCDATA) 

A string matching compliance details. 
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/DYNAMIC. SEARCH LIST. OUTPUT/RESPONSE/DYNAMIC. LISTS/DYNAMIC LIST/CRITERIA/ 
COMPLIANCE TYPE (#PCDATA) 

One or more compliance types. 
/DYNAMIC. SEARCH. LIST. OUTPUT/RESPONSE/DYNAMIC. LISTS/DYNAMIC. LIST/CRITERIA/ 
OUALYS. TOP 20 (#PCDATA) 

One or more Oualys top lists: Internal 10, Extermal 10. 
/DYNAMIC. SEARCH LIST OUTPUT/RESPONSE/DYNAMIC. LISTS/DYNAMIC LIST/CRITERIA/OTHER 
(#PCDATA) 

Not exploitable due to configuration listed (i.e. vulnerabilities on non 

unning services). 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CRITERIA/ 
NETWORK ACCESS (#PCDATA) 

NAC/NAM vulnerabilities are set when this element is present. 
(DYNAMIC. SEARCH LIST. OUTPUT/RESPONSE/DYNAMIC. LISTS/DYNAMIC LIST/CRITERIA/ 
PROVIDER (#PCDATA) 

Provider of the vulnerability if not Qualys. 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CRITERIA/ 
CVSS BASE SCORE OPERAND (#PCDATA) 

CVSS2 base score operand. 1 for the greater than equal operand, or 2 for the 

less than operand. 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CRITERIA/ 


CVSS_TEMPORAL_SCORE_OPE 


RAN 


D (#PCDATA) 


for the less than operand. 


CVSS2 temporal score operand. 1 for the greater than equal operand, or 2 


/DYNAMIC. SEARCH LIST OU 


PU 


CVSS3 BASE SCORE OPERAND (#PCDATA) 


/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CRITERIA/ 


CVSS3 base score operand. 1 for the greater than equal operand, or 2 for the 


less than operand. 


/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CRITERIA/ 
CVSS3 TEMPORAL SCORE OPERAND (#PCDATA) 

CVSS3 temporal score operand. 1 forthe greater than egual operand, or 2 

for the less than operand. 

/DYNAMIC. SEARCH LIST OUTPUT/RESPONSE/DYNAMIC. LISTS/DYNAMIC LIST/CRITERIA/ 
USER MODIFIED (#PCDATA 

Date user modified the list. 

/DYNAMIC. SEARCH LIST OUTPUT/RESPONSE/DYNAMIC. LISTS/DYNAMIC LIST/CRITERIA/ 
PUBLISHED (#PCDATA) 

Date the list was published 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CRITERIA/ 
SERVICE_MODIFIED (#PCDATA) 

Date the service modified the list. 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/CRITERIA/ 

CPE (#PCDATA) 

One or more CPE values: Operating System, Application, Hardware. 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/OPTION_PROFILES 
(OPTION_PROFILE+) 
/DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/OPTION_PROFILES/ 
OPTION PROFILE (ID, TITLE) 
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DYNAMIC. SEARCH LIST OUTPUT/RESPONSE/DYNAMIC. LISTS/DYNAMIC LIST/OPTION. PROFILES/ 


[ION PROFILE/ID — (*PCDATA) 


ID of the option profile where the search list. is defined. 


DYNAMIC. SEARCH LIST OUTPUT/RESPONSE/DYNAMIC LISTS/DYNAMIC LIST/OPTION. PROFILES/ 


[ION PROFILE/TITLE (#PCDATA) 


Title of the option profile title where the search list is defined. 


DYNAMIC. SEARCH LIST. OUTPUT/RESPONSE/DYNAMIC LISTS/DYNAMIC LIST/REPORT. TEMPLATES 


(REPORT. TEMPLATE +) 


DYNAMIC SEARCH L 


OUTPUT/RESPONSE/DYNAMIC. LISTS/DYNAMIC. LIST/REPORT. TEMPLATES/ 


TT) 
EPORT TEMPLATE (ID, TITLE) 


DYNAMIC SEARCH LIST. ! SE/DYNAMIC LISTS/DYNAMIC LIST/REPORT. TEMPLATES/REPO 


WN 
O 
E 
ag) 
G 
< 
bs] 
tri 
un 
ng) 
O 
Z 


y 
z 
> 


EMPLATE/ID (#P 


ID of the report template where the search list is defined. 


DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/REPORT_TEMPLATES/REPO 


EMPLATE/TITLE  (#PCDATA) 


Title of a report template where the search list is defined. 


DYNAMIC_SEARCH_LIST_O 


/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/ 


EMEDIATION_POLICIES (REM 


rue) ac 


DYNAMIC_SEARCH_LIST_O 


y UTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/ 
EMEDIATION_POLICIES/REMEDIATION_POLICY (ID, TITLE 


DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/ 


U 


Z 
mi 
J 


ATION_PO LIC ES/REMEDIATION_POLICY/ID #PCDATA) 


ID of a remediation policy where the search list is defined. 


DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/ 


C 


MED ATION_POLIC ES/REMEI 


(4PCDATA 


Title of a remediation policy where the search list is defined. 


= 
> 
O 
Z 
y) 
O 
C 

Q 
= 
z 
i= 


DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/ 


RIBU ION_GROUPS DISTRIBUTION_GROUP+ 


DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/ 
DISTRIBUTION_GROUPS/ DISTRIBUTION_GROUP (NAME) 


DYNAMIC_SEARCH_LIST_OUTPUT/RESPONSE/DYNAMIC_LISTS/DYNAMIC_LIST/ 


RIBUT ION_GROU PS/DISTRIBU TION GROUP/NAME (#PCDATA) 


Name of distribution group where the search list is defined. 


DYNAMIC. SEARCH LIST OUTPUT/RESPONSE/DYNAMIC LISTS/DYNAMIC LIST/COMMENTS (#PCDATA) 


User defined comments. 
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<platform API server>/api/2.0/fo/subscription/option_profile/?action=export 


<platform API server>/api/2.0/fo/subscription/option_profile/?action=import 


DTD for Option Profile Output 


<platform API server>/api/2.0/fo/subscription/option 


_profile/option_profile_info.dtd 


A recent DTD is shown below. 
<!ELEMENT OPTION PROFILES (OPTION PROFILE) *> 
<!ELEMENT OPTION PROFILE (BASIC INFO, SCAN, MAP?, ADDITIONAL, 
INSTANCE DATA COLLECTION?,OS BASED INSTANCE DISC COLLECTION?) > 
<!ELEMENT BASIC INFO (ID, GROUP NAME, GROUP TYPE, USER ID, UNIT ID, 
SUBSCRIPTION ID, IS DEFAULT?, IS GLOBAL?, IS OFFLINE SYNCABLE?, 
UPDATE DATE?)> 
<!ELEMENT ID (#PCDATA)> 
<!ELEMENT GROUP NAME (#PCDATA) > 
<!ELEMENT GROUP TYPE (#PCDATA) > 
<!ELEMENT USER ID (#PCDATA) > 
<!ELEMENT UNIT ID (#PCDATA) > 
<!ELEMENT SUBSCRIPTION ID (#PCDATA) > 
<!ELEMENT IS DEFAULT (#PCDATA) > 
<!ELEMENT IS GLOBAL (#PCDATA) > 
<!ELEMENT IS OFFLINE SYNCABLE (#PCDATA) > 
<!ELEMENT UPDATE DATE (#PCDATA) > 
<!ELEMENT SCAN (PORTS?, SCAN DEAD HOSTS?, CLOSE VULNERABILITIES?, 
PURGE OLD HOST OS CHANGED?, PERFORMANCE?, LOAD BALANCER DETECTION?, 
PASSWORD BRUTE FORCING?, VULNERABILITY DETECTION?, AUTHENTICATION?, 
ADDL CERT DETECTION?, DISSOLVABLE AGENT?, SCAN RESTRICTION?, 
DATABASE PREFERENCE KEY?, SYSTEM AUTH RECORD?, LITE OS SCAN?, 
CUSTOM HTTP HEADER?, HOST ALIVE TESTING?, ETHERNET IP PROBING?, 
FILE INTEGRITY MONITORING?, CONTROL TYPES?, DO NOT OVERWRITE OS?, 
TEST AUTHENTICATION?) > 
<!ELEMENT PORTS (TCP PORTS?, UDP PORTS?, AUTHORITATIVE OPTION?, 
(STANDARD SCAN|TARGETED SCAN) ?) > 
<!ELEMENT TCP PORTS (TCP PORTS TYPE?, TCP PORTS STANDARD SCAN?, 
TCP PORTS ADDITIONAL?, THREE WAY HANDSHAKE?, STANDARD SCAN?, 
TCP ADDITIONAL?) > 
<!ELEMENT TCP PORTS TYPE (#PCDATA) > 
<!ELEMENT TCP PORTS ADDITIONAL (HAS ADDITIONAL?, ADDITIONAL PORTS?) > 
<!ELEMENT HAS ADDITIONAL (#PCDATA) > 
<!ELEMENT ADDITIONAL PORTS (#PCDATA) > 
<!ELEMENT THREE WAY HANDSHAKE (#PCDATA) > 
<!ELEMENT UDP PORTS (UDP PORTS TYPE?, UDP PORTS STANDARD SCAN?, 
UDP PORTS ADDITIONAL?, (STANDARD SCAN|CUSTOM PORT) ?) > 
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UDP PORTS TYPE (#PCDATA) > 


UDP PORTS ADDITIONAL (HAS ADDITIONAL?, ADDITIONAL PORTS?) > 


AUTHORITAT 
STANDARD S 
TARGETED S 


SCAN_DEAD | 


IVE OPTION (#PCDATA) > 
CAN (#PCDATA) > 
CAN (#PCDATA) > 


HOSTS (#PCDATA) > 


CLOSE VULN 


ERABILITIES (HAS CLOSE VULNERABILITIES?, 


ENT 


ENT 


| FOUND ALIVE 
HAS CLOSE VULNERABILITIES (#PCDATA) > 


2)> 


HOST NOT F 


PURGE OLD | 


<!ELE 


ENT 


PERFORMANC 


HOSTS TO SCAN, PROCE 


OUND ALIVE (#PCDATA) > 


HOST OS CHANGED (#PCDATA) > 


E (PARALLEL SCALING?, OVERALL PERFORMANCE 


s 


SSES TO RUN, PACKET DELAY, 


PORT SCANNING AND HOST DISCOVERY, EXTERNAL SCANNERS TO USE?, 


HOST CGI 


MAX N 


UMBE 
PRE 


ENT 


CHECKS?, MA 
R OF TARGET 
SCANNING?, 

PARALLEL S 


X CGI CHECKS?, MAX TARGETS PER SLICE?, 
S?, CONF SCAN LIMITED CONNECTIVITY?, 
SCAN MULTIPLE SLICES PER SCANNER?) > 
CALING (#PCDATA) > 


ENT 


OVERALL PE 


ENT 


HOSTS TO S 


EXTERNAL S 


RFORMANCE (#PCDATA) > 
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CAN (EXTERNAL SCANNERS, SCANNER APPLIANCES) > 


CANNERS (#PCDATA) > 


SCANNER_AP 
PROCESSES _ 
TOTAL PROC 


PLIANCES (#PCDATA) > 
TO RUN (TOTAL PROCESSES, HTTP PROCESSES) > 
ESSES (#PCDATA) > 


HTTP PROCE 


PORT SCANN 


EXTERNAL S 


PACKET DELAY (#PCDATA) > 


SSES (#PCDATA) > 


ING AND HOST DISCOVERY (#PCDATA) > 
CANNERS TO USE (#PCDATA) > 


HOST CGI C 


[AX CGI CH 


HECKS (#PCDATA) > 
ECKS (#PCDATA) > 


S PER SLICE (#PCDATA) > 


[AX TARGET 


CONF SCAN 


[AX NUMBER OF TARGETS (#PCDATA) > 


LIMITED CONNECTIVITY (#PCDATA) > 


SKIP PRE SCANNING (#PCDATA) > 


SCAN_MULTI 


PLE SLICES PER SCANNER (#PCDATA) > 


LOAD BALAN 


PASSWORD_B 


SYSTEM (HA 
HAS SYSTEM 


CER DETECTION (t PCDATA) > 


RUTE FORCING (SYSTEM?, CUSTOM LIST?)> 
S SYSTEM?, SYSTEM LEVEL?) > 


(#PCDATA) > 


E 


SYSTEM LEV 


EL (#PCDATA) > 


CUSTOM LIS 
CUSTOM (ID 
TITLE (#PC 


OGIN PASS 


VULNERABIL 


TYPE (#PCDATA)> 


T (CUSTOM+) > 
, TITLE, TYPE?, LOGIN PASSWORD?) +> 
DATA) > 


WORD (#PCDATA) > 


3 


ITY DETECTION ((COMPLETE |CUSTOM LIST|RUNTIM 
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DETECTION INCLUDE?, DETECTION EXCLUDE?) > 
<!ELEMENT COMPLETE (#PCDATA) > 
<!ELEMENT RUNTIME (#PCDATA) > 


<!ELEMENT DETECTION INCLUDE (BASIC HOST INFO CHECKS, OVAL CHECKS, 
ORDI CHECKS?) > 
<!ELEMENT BASIC HOST INFO CHECKS (#PCDATA) > 
<!ELEMENT OVAL CHECKS (#PCDATA) > 

<!ELEMENT QRDI CHECKS (#PCDATA) > 
<!ELEMENT DETECTION EXCLUDE (CUSTOM LIST+) > 


<!ELEMENT AUTHENTICATION (#PCDATA) > 
<!ELEMENT ADDL CERT DETECTION (#PCDATA) > 


El 


<!ELEMENT DISSOLVABLE AGENT (DISSOLVABLE AGENT ENABLE, 
PASSWORD AUDITING ENABLE?, WINDOWS SHARE ENUMERATION ENABLE, 
S DIRECTORY SEARCH ENABLE?) > 


<!ELEMENT DISSOLVABLE AGENT ENABLE (#PCDATA) > 
<!ELEMENT PASSWORD AUDITING ENABLE (HAS PASSWORD AUDITING ENABLE?, 
PASSWORD DICTIONARY?) > 
<!ELEMENT HAS PASSWORD AUDITING ENABLE (#PCDATA) > 
<!ELEMENT CUSTOM PASSWORD DICTIONARY (#PCDATA) > 
<!ELEMENT WINDOWS SHARE ENUMERATION ENABLE (#PCDATA) > 


<!ELEMENT WINDOWS DIRECTORY SEARCH ENABLE (t PCDATA) > 


Q 
Gq 
un 
O 

U 


<!ELEMENT SCAN RESTRICTION (SCAN BY POLICY?)> 
<!ELEMENT SCAN BY POLICY (POLICY+)> 
<!ELEMENT POLICY (ID, TITLE) 


El 


El 


<!ELEMENT DATABASE PREFERENCE KEY (MSSQL?, ORACL 
SAPIQ?, DB2?)> 
<!ELEMENT MSSQL (DB UDC RESTRICTION, DB UDC LIMIT) > 
<!ELEMENT ORACLE (DB UDC RESTRICTION, DB UDC LIMIT) > 
<!ELEMENT SYBASE (DB UDC RESTRICTION, DB UDC LIMIT) > 
<!ELEMENT POSTGRESQL (DB UDC RESTRICTION, DB UDC LIMIT) > 
<!ELEMENT SAPIQ (DB UDC RESTRICTION, DB UDC LIMIT) > 
<!ELEMENT DB2 (DB UDC RESTRICTION, DB UDC LIMIT) > 
<!ELEMENT DB UDC RESTRICTION (#PCDATA) > 
<!ELEMENT DB UDC LIMIT (#PCDATA) > 


?, SYBASE?, POSTGRESOL?, 


HEG 


<!ELEMENT SYSTEM AUTH RECORD (ALLOW AUTH CREATION|INCLUDE SYSTEM AUTH) > 
<!ELEMENT ALLOW AUTH CREATION (AUTHENTICATION TYPE LIST, 
IBM WAS DISCOVERY MODE?, ORACLE AUTHENTICATION TEMPLATE?) 
<!ELEMENT AUTHENTICATION TYPE LIST (AUTHENTICATION TYPE+ 
<!ELEMENT AUTHENTICATION TYPE (#PCDATA) > 


A 

<!ELEMENT IBM WAS DISCOVERY MODE (t PCDATA) > 
O 
T 


RACLE AUTHENTICATION TEMPLATE (ID, TITLE) > 


! NCLUD 

(ON DUPLICATE USE USER AUTHJON DUPLICATE USE SYSTEM AUTH) > 
! PLICATE USE USER AUTH (#PCDATA) > 

<!ELEMENT ON DUPLICATE USE SYSTEM AUTH (#PCDATA) > 


<!ELEMENT LITE OS SCAN (#PCDATA) > 
<!ELEMENT CUSTOM HTTP HEADER (VALUE?, DEFINITION KEY?, 
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DEFINITION VALUE?) > 

<!ELEMENT VALUE (#PCDATA) > 

<!ELEMENT DEFINITION KEY (#PCDATA) > 
<!ELEMENT DEFINITION VALUE (#PCDATA) > 


<!ELEMENT HOST ALIVE TESTING (#PCDATA) > 


<!ELEMENT ETHERNET IP PROBING (#PCDATA) > 


<!ELEMENT FILE INTEGRITY MONITORING (AUTO UPDATE EXPECTED VALUE?) > 
<!ELEMENT AUTO UPDATE EXPECTED VALUE (#PCDATA) > 


<!ELEMENT CONTROL TYPES (FIM CONTRO 
Š _ CHECKS?) > 
<!ELEMENT FIM CONTROLS ENABLED (#PCDATA)> 
<!ELEMENT CUSTOM WMI QUERY CHECKS (#PCDATA) > 
RWRITE OS (#PCDATA)> 
ENTICATION (#PCDATA) > 


S ENABLED?, 


A 
Ci 
a 
O 
= 
z 
z 
O 
G 
pa] 
K 
Q 
fam] 


T 


N 
= 
s) 
Õ 
Zz 
O 
H 
O 
< 


A 
2 
3 
H 
a | 
3 
D 
G 
3 
T 
Gl 


<!ELEMENT MAP (BASIC INFO GATHERING ON, TCP PORTS?, UDP PORTS?, 
MAP OPTIONS?, MAP PERFORMANCE?, MAP AUTHENTICATION?) > 


<!ELEMENT BASIC INFO GATHERING ON (#PCDATA) > 
<!ELEMENT TCP PORTS STANDARD SCAN (#PCDATA) > 


<!ELEMENT UDP PORTS STANDARD SCAN (#PCDATA) > 


<!ELEMENT MAP OPTIONS (PERFORM LIVE HOST SWEEP?, DISABLE DNS TRAFFIC?)> 
<!ELEMENT PERFORM LIVE HOST SWEEP PCDATA) > 


( 
<!ELEMENT DISABLE DNS TRAFFIC (#PCDATA) > 


<!ELEMENT MAP PERFORMANCE (OVERALL PERFORMANCE, MAP PARALLEL?, 
PACKET DELAY) > 

<!ELEMENT MAP PARALLEL (EXTERNAL SCANNERS, SCANNER APPLIANCES, 
NETBLOCK SIZE) > 


A 
Zz 
= 


TBLOCK SIZE (#PCDATA)> 


<!ELEMENT MAP AUTHENTICATION (#PCDATA)> 


<!ELEMENT ADDITIONAL (HOST DISCOVERY, BLOCK RESOURCES?, PACKET OPTIONS?) > 
<!ELEMENT HOST DISCOVERY (TCP PORTS?, UDP PORTS?, ICMP?)> 


<!ELEMENT TCP ADDITIONAL (HAS ADDITIONAL?, ADDITIONAL PORTS?) > 


<!ELEMENT CUSTOM PORT (#PCDATA) > 


<!ELEMENT ICMP ( 


+ 


PCDATA) > 


<!ELEMENT BLOCK RESOURCES 

( (WATCHGUARD DEFAULT BLOCKED PORTS|CUSTOM PORT LIST), 
(ALL REGISTERED IPS|CUSTOM IP LIST) )> 

<!ELEMENT WATCHGUARD DEFAULT BLOCKED PORTS (#PCDATA) > 
<!ELEMENT CUSTOM PORT LIST (#PCDATA) > 
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ALL R 


<!ELEMENT 


H 
Q 
a 
O 
W 

1] 
D 


NOT SI 


El 
U 


CUSTO 


PACKI 


EGISTERED I 


LIST ( 


ET OPTIONS ( 
TCB RST; 
TCP ACK OR SYN 


IGNORE FIREWAL 
ACK DURING 
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PS (#PCDATA) > 
#PCDATA) > 


IGNORE FIREWALL GENERATED TCP RST?, 
, GENERATED TCP SYN ACK?, 
HOST DISCOVERY?) > 


<!ELEMENT IGNOR 


E FIREWAL 


, GENERATED TCP RST ( 


PCDATA) > 


<!ELEMENT IGNORE ALL TCP RST (#PCDATA) > 

<!ELEMENT IGNORE FIREWALL GENERATED TCP SYN ACK (#PCDATA) > 

<!ELEMENT NOT SEND TCP ACK OR SYN ACK DURING HOST DISCOVERY (#PCDATA) > 
<!ELEMENT INSTANCE DATA COLLECTION (DATABASES?) > 

<!ELEMENT DATABASES (AUTHENTICATION TYPES LIST) > 


<!ELEMENT AUTHI 


<!ELE 
<!ELEMENT 


3 


= 
E, 


OS. BASI 
TECHNO 


D_INSTANCI 


ENTICATION TYPES LIST (AUTHENTICATION TYPE+)> 


3 
3 


E DISC COLLECTION ( 
> 


ECHNOLOGIES?) > 


3 


<!ELEMENT 


TECHNO 


OGIES (TECHNOLOGY + 


OGY (#PC 


XPath descriptions 


XPath 


element specifications / notes 


/OPTION_PROFILES 


OPTION_PROFILE?) 


/OPTION_PROFILES/OPTION 


ROFILE 


BASIC_INFO, SCAN, MAP?, ADDITIONAL, INSTANCE_DATA_COLLECTION?, 
OS_BASED_INSTANCE_DISC_COLLECTION?) 


/OPTION_PROFILES/OPTION_PROFILE/BASIC_INFO 

ID, GROUP_NAME, GROUP_TYPE, USER_ID, UNIT_ID, SUBSCRIPTION_ID, 

S_DEFAULT?, IS_GLOBAL?, IS_OFFLINE_SYNCABLE?, UPDATE_DATE?) 
/OPTION_PROFILES/OPTION_PROFILE/BASIC_INFO/ID (#PCDATA) 

Option profile ID. 
/OPTION_PROFILES/OPTION_PROFILE/BASIC_INFO/GROUP_NAME (#PCDATA) 

Option profile title. 
/OPTION_PROFILES/OPTION_PROFILE/BASIC_INFO/GROUP_TYPE (#PCDATA) 


Option profi 


e group name/type, e.g. user (for user defined), compliance (for 


compliance profile), pci (for PCI vulnerabilities profile), rv10 (for Qualys Top 


10 real time 
profile). 


internal and external vulnerabilities, sans20 (for SANS Top 20 


/OPTION_PROFILES/OPTION_. 


ROFILE/BASIC 


User ID of the option profile owner. 


NFO/USER ID — (4PCDATA) 


(OPTION. PROFILES/OPTION. 


E/BASIC 


NFO/UNIT. ID — (*PCDATA) 


of business unit where option profile is defined. 


/OPTION_PROFILES/OPTION_ 


NFO/SUBSCRIPTION_ID (#PCDATA) 


iption where option profile is defined. 


/OPTION_PROFILES/OPTION_. 


ROFILE/BASIC 


1 means the 


option profi 


NFO/IS DEFAULT (4PCDATA) 


option profile is the default for the subscription, 0 means the 
e is not the default. 
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(OPTION. PROFILES/OPTION. PROFILE/BASIC INFO/IS GLOBAL (4PCDATA) 


1 means the option profile is a global profile, 0 means the option profile is 


not global. 


/OPTION_PROFILES/OPTION_PROFILE/BASIC_INFO/IS_OFFLINE_SYNCABLE (#PCDATA) 


(VM only) “0” means the option profile will be downloaded to your offline 
scanners during the next sync with the platform; “1” means the profile will 
not be downloaded to offline scanners during the next sync. 


(Only applies to Offline Scanner Appliance) 


/OPTION_PROFILES/OPTION_PROFILE/BASIC_INFO/UPDATE_DATE (#PCDATA) 
Date when option profile was last updated. N/A appears if the profile has 


not been updated after creation. 


/OPTION_PROFILES/OPTION_PROFILE/SCAN 


(PORTS?, SCAN_DEAD_HOSTS?, CLOSE_VULNERABILITIES?, 


PURGE_OLD_HOST_OS_CHANGED?, PERFORMANCE?, 
LOAD_BALANCER_DETECTION?, PASSWORD_BRUTE_ 


ULNERABILITY_DETECTION?, AUTHENTICATION?, 


FORCING?, 


DDL_CERT_DETECTION?, DISSOLVABLE_AGENT?, SCAN_RESTRICTION?, 


DATABASE_PREFERENCE_KEY?, SYSTEM_AUTH_RECORD?, LITE OS SCAN?, 


CUSTOM HTTP HEADER?, HOST. ALIVE TESTING?, 
E 


HERNE” IP PROBING?, FILE INTEGRITY MONITORING?, 


, TYPES?, DO NOT. OVERWRITE. 05?, TEST. AUTHENTICATION?) 


/OPTION_PROFILES/OP1 


L 
FION. PROFILE/SCAN/PORTS 
(TCP. PORTS?, UDP PORTS?, AUTHORITATIVE_OPTION?, 


(STANDARD. SCANITARGETED. SCAN)?) 


/OPTION_PROFILES/OP1 


[TION_PROFILE/SCAN/PORTS/TCP_PORTS 


CP_PORTS_TYPE?, TCP PORTS STANDARD SCAN?, 
C 


STANDARD_SCAN?, TCP_ADDITIONAL? 


P_PORTS_ADDITIONAL?, THREE WAY HANDSHAKE?, 


/OPTION. PROFILES/OPTION. PROFILE/SCAN/PORTS/TCP PORTS/TCP PORTS TYPE (#PCDATA) 


TCP ports type, one of: standard (for standard scan, about 1900 TCP ports), 


light (for light scan, about 160 TCP ports), none (for no TCP ports), full (for 


all TCP ports). 


/OPTION_P 


ROFILES/OPT 


HAS_ADDITIONAL?, ADDITIONAL PORTS? 


ON. PROFILE/SCAN/PORTS/TCP. PORTS/TCP. PORTS. ADDITIONAL 


/OPTION_P 
HAS. ADDI'I 


ROFILES/OPT 
TIONAL (#PC 


DATA) 


1 means additional TCP ports defined; 0 means additi 


defined. 


ON_PROFILE/SCAN/PORTS/TCP_PORTS/TCP_PORTS_ADDITIONAL/ 


onal TCP ports not 


/OPTION_P 


ROFILES/OPT 


List of additional TCP ports. 


ON_PROFILE/SCAN/PORTS/TCP_PORTS/TCP_PORTS_ADDITIONAL/ 
ADDITIONAL_PORTS (#PCDATA) 


/OPTION_P 


ROFILES/OPT 


ON PROFILE/SCAN/PORTS/TCP. PORTS/THREE. WAY HANDSHAKE (#PCDATA) 


1 means scans will perform 3-way handshake with target hosts (performed 
only when you have a configuration that does not allow SYN packet to be 
followed by RST packet); 0 means scans will not perform 3-way handshake. 


(OPTION. PROFILES/OPTION. PROFILE/SCAN/PORTS/UDP. PORTS 


(UDP. PORTS TYPE?, UDP PORTS STANDARD SCAN?, 
UDP. PORTS. ADDITIONAL?, (STANDARD. SCANJCUSTOM. PORT)?) 
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(OPTION. PROFILES/OPTION. PROFILE/SCA 


UDP ports 
light (for li 
all UDP ports). 


/PORTS/UDP_PORT 


type, one of: standard 
ght scan, about 30 


[S/UDP_PORTS_TYPE 


for standard scan, ab 
UDP ports), none ( 


(#PCDATA) 


out 180 UDP ports), 


for no UDP ports), full (for 


/OPTION_PROFILES/OPTION_. 


PROFILE/SCAN/PORTS/UI 
HAS ADDITIONAL?, 


DP. PORTS/U 
ADDITIONAL PORTS? 


DP PORTS AD 


2 


DITIONAL 


/OPTION_P 
HAS ADDI'I 


ROFILES/OPTION_ 
TIONAL (#PCDATA 


PROFILE/SCAN/PORTS/UI 


1 means additiona 
defined. 


DP_PORTS/U 


DPAPORTSSAD 


DITIONAL/ 


UDP ports defined; 0 means additional UDP ports not 


/OPTION_PROFILES/OPTION_ 


ADDITIONAL PORTS (#PCDATA) 


PROFILE/SCAN/PORTS/UI 


List of additional UD 


P ports. 


DP PORTS/UDP PORTS ADDITIONAL/ 


(OPTION. PROFILES/OPTION. 


PROFILE/SCAN/PORTS/AUTHORI 


(VM only) “0” means 


ATIVE OPTION 


(4PCDATA) 


for partial port scans we'll update the status for all 


vulnerabilities found regardless of which ports they are found on; “1” 
means for partial scans we’ll update the status of vulnerabilities detected 


by ports scanned. 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/PORTS/STANDARD_SCAN 


(4PCDATA) 


PC only) 
scans; 
Omeans s 
ports: 

22 
No 
set 


te: STA 
tings a 


SSH), 23 (telnet) and 513 (rlogin). 
DARD_SCAN or TARGETED_SCAN must be enabled, and these 
e mutually exc 


usive. 


means standard port scan is enabled for Windows and Unix 


tandard port scan is disabled. Standard scan includes well known 


/OPTION_PROFILES/OPTION_PROF 


L 


PC 
for 
No 
set 


te: STA 
tings a 


E/SCAN/PORTS/TARGETED_SCAN (4PCDATA) 


only) A targeted port scan, defined by a custom list of ports, is enabled 

Windows and Unix; 0 means targeted port scan is disabled. 
DARD_SCAN or TARGETED. SCAN must be enabled, and these 

e mutually exc 


usive. 


/OPTION. PROFILES/OPTION. PROF 


ib, 


(VM only) 
“7” means 


“O” means we’ 
we won't scan 


E/SCAN/SCAN. DEAD HOSTS (#PCDATA) 


dead hosts. 


scan dead hosts (this may increase scan time); 


/OPTION. PROFILES/OPTION. PROF 


L 
(HAS. CLO 


E/SCAN/CLOSE_VULN 
SE_VULNERAB 


RABILITIES 
GIES 4 


HOST. NOT. FOUND ALIVE?) 


/OPTION. PROFILES/OPTION. PROF 


(#PCDATA) 


L 


(VM only) “0” means we'l 
processing (vulnerability 
be marked Closed/Fixed); “1” means we won't close vu 


E/SCAN/CLOSE_VULN 


ERABILITIES/HAS CLOSE VU 


LNERABILITIES 


close vulnerabilities on dead hosts during scan 
status will be set to Fixed, and existing tickets will 


nerabilities on dead 


hosts. This option is valid only when the “Close vulnerabilities on dead 


hosts” feature is enabled 
Oualys Account Manager. 


for your subscription by Oua 


ys Support or your 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/CLOSE_VULN 


(#PCDATA) 


(VM only) “O” means scans will perform host alive testi 


vulnerability testing 


(on 


vulnerabilities); “1” mea 


ERABILITIES/HOST_NOT_FOU 


y hosts found alive will be tes 


ND_ALIVE 


ng before 
ted for 


ns scans won't perform host a 


ive testing. 


110 


Gualys API (VM, PC) XML/DTD Reference 
Chapter 3 - Scan Configuration XML 


XPath element specifications / notes 
/OPTION. PROFILES/OPTION. PROFILE/SCAN/PURGE OLD HOST OS CHANGED (#PCDATA) 


(VM only) “0” means we'll purge hosts when OS is changed during scan 
processing; “1” means we won't purge hosts when OS is changed. 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/PERFORMANCE 


(PARALLEL_SCALING?, OVERALL_PERFORMANCE, HOSTS_TO_SCAN, 
PROCESSES_TO_RUN, PACKET_DELAY, 
PORT_SCANNING_AND_HOST_DISCOVERY) 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/PERFORMANCE/ 
PARALLEL_SCALING (#PCDATA) 


(VM only)1 means parallel scaling for scanner appliances is enabled; 0 
means parallel scaling for scanner appliances is disabled. 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/PERFORMANCE/ 
OVERALL PERFORMANCE (#PCDATA) 


Overall scan performance level, one of: 

Normal - Recommended in most cases, well balanced between intensity 
and speed. 

High - Recommended only when scanning a single IP or small number of 
Ps, optimized for speed and shorter scan times. 

Low - Recommended if responsiveness for individual hosts and services is 
ow, optimized for low bandwidth network connections and highly utilized 
networks. May take longer to complete. 
(OPTION. PROFILES/OPTION. PROFILE/SCAN/PERFORMANCE/HOSTS TO SCAN 


EXTERNAL SCANNERS, SCANNER. APPLIANCES) 


/OPTION. PROFILES/OPTION. PROFILE/SCAN/PERFORMANCE/HOSTS. TO. SCAN/ 
EXTERNAL SCANNERS (#PCDATA) 


Maximum number of hosts to scan in parallel using Oualys cloud (external) 
scanners. 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/PERFORMANCE/HOSTS_TO_SCAN/ 
SCANNER_APPLIANCES (#PCDATA) 


Maximum number of hosts to scan in parallel using Qualys Scanner 
Appliances, installed on your internal network. 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/PERFORMANCE/PROCESSES_TO_RUN 
TOTAL_PROCESSES, HTTP_PROCESSES) 
/OPTION_PROFILES/OPTION_PROFILE/SCAN/PERFORMANCE/PROCESSES_TO_RUN/ 


TOTAL PROCESSES (#PCDATA) 


Maximum number of total processes to run at the same time per host. 


/OPTION. PROFILES/OPTION. PROFILE/SCAN/PERFORMANCE/PROCESSES. TO RUN/ 
HTTP PROCESSES (#PCDATA) 


Maximum number of HTTP processes to run atthe same time per host. 
/OPTION_PROFILES/OPTION_PROFILE/SCAN/PERFORMANCE/PACKET_DELAY (#PCDATA) 


The delay between groups of packets sent to each host during a scan. 
/OPTION_PROFILES/OPTION_PROFILE/SCAN/PORT_SCANNING_AND_HOST_DISCOVERY (#PCDATA) 


(VM only) The aggressiveness (parallelism) of port scanning and host 
discovery at the port level: Normal, Medium, Low or Minimum. Lowering 
the intensity level has the effect of serializing port scanning and host 
discovery. 
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/OPTION. PROFILES/OPTION. PROFILE/SCAN/LOAD. BALANCER DETECTION #PCDATA) 
(VM only) “0” means scans will detect load balancers and report in QID 
86189” “1” means scans will not detect load balancers. 
/OPTION_PROFILES/OPTION_PROFILE/SCAN/PASSWORD_BRUTE_FORCING 
(SYSTEM, CUSTOM_LIST) 
/OPTION_PROFILES/OPTION_PROFILE/SCAN/PASSWORD_BRUTE_FORCING/SYSTEM 
(HAS_SYSTEM?, SYSTEM_LEVEL?) 
/OPTION_PROFILES/OPTION_PROFILE/SCAN/PASSWORD_BRUTE_FORCING/SYSTEM/ 
HAS_SYSTEM (#PCDATA 
VM only) 1 means system password brute forcing enabled; 0 means system 
password brute forcing is not enabled. 
/OPTION_PROFILES/OPTION_PROFILE/SCAN/PASSWORD_BRUTE_FORCING/SYSTEM/ 


SYSTEM_LEVEL (#PCDATA) 


VM only) System passwo 
empty passwords), 2 (for 
for Exhaustive). 


rd brute forci 
imited), 3 (fo 


ng level, one of: 1 (for minimal, 
Standard, up to 60 per login ID), 4 


/OPTION_PROFILES/OPTION_PROF 
/OPTION_PROFILES/OPTION_PROF 


LE/SCAN/PASSWORD_B 
E/SCAN/PASSWORD_B 


RI 
RI 


07 
UT 
(I 


FE. FORCING/CUS 
[E FORGIN 
TITLE, TYPE, LOGIN. PASSWORD +) 


OM LIST (CUSTOM+) 
OM LIST/CUSTOM 


G/CUS 


/OPTION. PROFILES/OPTION. PROF 


(#PCDATA) 


IE 
D, 
LE/SCAN/PASSWORD B 


RUT 


Note: An Import Option Pro 
brute forcing lists regardless 
configure using Qualys port 


[E FORGIN 


(VM only) Custom password brute forcing list ID. 
file API cal 
of Option Profile XM 
al UL. 


G/CUSTOM_LIST/CUSTOM/ID 


does not import custom password 


L file content. Please 


/OPTION_PROFILES/OPTION_PROF 


(#PCDATA) 


LE/SCAN/PASSWORD_BRU 


Note: An Import Option Pro 
brute forcing lists regardless 
configure using Qualys port 


(VM only) Custom password brute forcing list title. 
le API call does not i 
of Option Profile XM 
al UL. 


FE. FORCING/CUSTOM LIST/CUSTOM/TITLE 


mport custom password 
L file content. Please 


(OPTION. PROFILES/OPTION. PROF 


(#PCDATA) 


LE/SCAN/PASSWORD_BRU 


TE_FORCING/CUSTOM_LIST/CUSTOM/TYPE 


(VM only) Type of custom password brute forcing list, one of: ftp, ssh, 


windows. 


Note: An Import Option Profile API call does not import custom password 


brute forci 
configure 


ng lists regardless of Option Profile XML file content. Please 
using Qualys portal UI. 


/OPTION_PROFILES/OPT 


LOGIN_PASSWORD (#PCDATA) 


ON_PROFILE/SCA 


VM on 
forcing 


y) 
ist. 


/PASSWORD_BRUTE_FORCING/CUSTOM_LIST/CUSTOM/ 


Login/password list (maximum 50) for custom password brute 


/OPTION_PROFILES/OPT 


ON_PROFILE/SCA 


/VULNERABILITY_DE 


ECTION 


(COMPLE 
DETECTION_EXCLUDE?) 


TE|CUSTOM_LIST|RUN 


TIM 


E), DETECTION_INCLUDE?, 


/OPTION_PROFILES/OPT 


ON_PROFILE/SCAN/VULNERABILITY_DE 


VM on 


EQ 


ION/COMPLETE (#PCDATA) 


y) 1 means complete detection is enabled (i.e. run all vulnerability 


tests in the KnowledgeBase); 0 means complete detection is disabled. 
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/OPTION_P 


ROFILES/OPTION_PROFILE/SCAN/VULNERABILITY_DETECTION/CUSTOM_LIST (CUSTOM+) 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/VULNERABILITY_DETECTION/ 


CUS 


OM_LIST/CUSTOM (ID, TITLE) 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/VULNERABILITY_DETECTION/ 


CUS 


OM LIST/CUSTOM/ID (#PCDATA) 


(VM only) The ID of a search list when custom vulnerability detection is 
enabled and certain QIDs will be included in scans. 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/VULNERABILITY_DETECTION/ 


CUS 


TOM. LIST/CUSTOM/TITLE (#PCDATA) 


(VM only) The title of a search list when custom vulnerability detection is 
enabled and certain QIDs will be included in scans. The title must exactly 
match a title in the user’s subscription otherwise complete detection is 

used. 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/VULNERABILITY_DETECTION/ 


RUN 


TIME (#PCDATA) 


VM only) 1 means vulnerability detection Select at runtime option is 
enabled; 0 means this option is disabled. 


/OPTION_PROFILES/OP1 


TION_PROFILE/SCAN/DETECTION_INCLUDE/ 


BASIC_HOST_INFO_CHECKS, OVAL_CHECKS, QRDI_CHECKS) 


/OPT 


FION. PROFILES/OP'I 


FION. PROFILE/SCAN/DETECTION. INCLUDE/ 
BASIC HOST INFO CHECKS (#PCDATA) 


VM only) 1 means basic host information checks are included in scans; 0 
means basic host information checks are not included. 


/OPTION_PROFILES/OPTION_. 


PROFILE/SCAN/DETECTION_INCLUDE/OVAL_CHECKS (#PCDATA) 


VM only) 1 means OVAL checks are included in scans; 0 means OVAL 
checks are not included in scans. 


/OPTION_PROFILES/OPTION_. 


PROFILE/SCAN/DETECTION INCLUDE/ORDI CHECKS (#PCDATA) 


This flag is for Oualys Internal Use only. 


(OPTION. PROFILES/OPTION. 


DETECTION_EXCLUDE (CUS 


PROFILE/SCAN/DETECTION INCLUDE 
TOM LIST+) 


(OPTION. PROFILES/OPTION 


DETECTION_EXCLUDE/CUS 


z] 
(29) 
O 

El 


LE/SCAN/DETECTION_INCLUDE 


LIST (ID, TITLE) 


/OP1 


TION_PROFILES/OPTION 


DETECTION_EXCLUDE/CUS 


PROFILE/SCAN/DETECTION_INCLUDE, 


OM 


_LIST/ID (#PCDATA) 


VM only) 1 means certain QIDs are always excluded from scans; 0 means 
this option is not enabled. 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/DETECTION_INCLUDE/ 


DETECTION EXCLUDE/CUSTOM. 


LIST/TITLE (4PCDATA) 


VM only) The title of a search list defining QIDS that are always excluded 
from scans. The title must exactly match a title in the user’s subscription 
otherwise QIDs are not excluded. 


/OPT 


TION_PROFILES/OP1 


[TION_PROFILE/SCAN/AUTHENTICATION (#PCDATA) 


(VM only) Types of authentication enabled: Windows, Unix/Cisco etc. need 
valid values 


/OPT 


FION. PROFILES/OP'I 


[ION PROFILE/SCAN/ADDL CERT. DETECTION (#PCDATA) 


(VM only) 1 means scans will detect additional certificates beyond ports; 0 
means scans won't detect these certificates. 
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(OPTION. PROFILES/OPTION. PROFILE/SCAN/DISSOLVABLE. AGENT/ 
(DISSOLVABLE AGENT. ENABLE, PASSWORD. AUDITING ENABLE?, 


WINDOWS. SHARE ENUMERATION ENABLE, 
WINDOWS. DIRECTORY. SEARCH ENABLE?) 


(OPTION. PROFILES/OPTION. PROFILE/SCAN/DISSOLVABLE. AGENT/ 
DISSOLVABLE AGENT. ENABLE (4PCDATA) 


“0” means Qualys Dissolvable Agent is enabled for your subscription; “1” 
means the Qualys Dissolvable Agent is not enabled. 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/DISSOLVABLE_AGENT/PASSWORD_AUDITING_ENABLE 


(HAS_PASSWORD_AUDITING_ENABLE?, 
CUSTOM PASSWORD. DICTIONARY?) 


(OPTION. PROFILES/OPTION. PROFILE/SCAN/DISSOLVABLE AGENT/ 
PASSWORD. AUDITING ENABLE/HAS. PASSWORD. AUDITING. ENABLE (#PCDATA) 


(PC only) “0” means Password Auditing is enabled using Oualys Dissolvable 
Agent, “1” means this feature is disabled. 
(Applies only when Dissolvable Agent is enabled using Qualys portal UI). 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/DISSOLVABLE_AGENT/PASSWORD_AUDITING_ENABLE/ 
CUSTOM_PASSWORD_DICTIONARY (#PCDATA) 


(PC only) “0” means the Custom Password Dictionary for Password Auding is 
enabled using Qualys Dissolvable Agent, “1” means this feature is disabled. 
(Applies only when Dissolvable Agent is enabled using Qualys portal UI). 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/DISSOLVABLE_AGENT/ 
WINDOWS_SHARE_ENUMERATION_ENABLE (#PCDATA 


“0” means Windows Share Enumeration is enabled using Qualys 
Dissolvable Agent; “1” means this option is not enabled. 
Applies only when Dissolvable Agent is enabled using Qualys portal UI). 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/DISSOLVABLE_AGENT/ 
WINDOWS_DIRECORY_SEARCH_ENABLE (#PCDATA) 


C only) “0” means Windows Directory Search is enabled using Qualys 
issolvable Agent; “1” means this option is not enabled. 
Applies only when Dissolvable Agent is enabled using Qualys portal UI). 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/SCAN_RESTRICTION (SCAN_BY_POLICY?) 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/SCAN_RESTRICTION 
SCAN_BY_POLICY (POLICY+) 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/SCAN_RESTRICTION 
( 


ie O ty 
BY_POLICY/POLICY (POLICY ID, POLICY. TITLE) 
/OPTION_PROFILES/OPTIO 
B 


U0 


E N_PROFILE/SCAN/SCAN_RESTRICTION 
POLICY/POLICY/ID (#PCDATA) 


(PC only) For scan restriction, the ID of the policy to restrict the scan to. 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/SCAN_RESTRICTION 
SCAN_BY_POLICY/POLICY/TITLE (#PCDATA 


(PC only) For scan restriction, the title of the policy to restrict the scan to. 


Note: An Import Option Profile API call does not import policies for this 
feature. Please configure using Qualys portal UI. 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/DATABASE_PREFERENCE_KEY 
(MSSQL?, ORACLE?, SYBASE?, POSTGRESQL?) 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/DATABASE_PREFERENCE_KEY/MSSQL 
(DB_UDC_RESTRICTION, DB_UDC_LIMIT) 
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/OPTION. PROFILES/OPTION. PROFILE/SCAN/DATABASE PREFERENCE, KEY/MSSOL/DB UDC RESTRICTION 


(#PCDATA) 


(PC only) (Optional) Set value to 1 if you want to specify a limit on the 
number of rows to be returned per scan for custom 


MSSQL Database checks. 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/DATABASE_PREFERENCE_KEY/MSSQL/DB_UDC_LIMIT 


(#PCDATA) 


(PC only) Provide a value to define the number of rows to be 


returned per scan. 


/OP1 
(DB. 


FION. PROFILES/OP'I 
UDC. RESTRICTION, DB UDC LIMIT) 


FION. PROFILE/SCAN/DATABASE. PREFERENC 


E KEY/ORACLE 


/OPTION_PROFILES/OP1 


(#PCDATA) 


[TION_PROFILE/SCAN/DATABASE_PREFERENC 


(PC only) ( 
number o 
Oracle Da 


Optional) Set value to 
f rows to be re 
tabase checks. 


i 
turned per 


E KEY/ORACLE/DB UDC, RESTRICTION 


f you want to specify a limit on the 
scan for custom 


(OPTION. PROFILES/OPTION. PROFILE/SCAN/DATABASE P 


(#PCDATA) 


REFERENC 


(PC only) Provide a value to define 
returned per scan. 


E_KEY/ORACLE/DB_UDC_LIMIT 


the number of rows to be 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/DAT 
UDC_RESTRICTION, DB_UDC_LIMIT) 


(DB. 


TABASE PREFERENC 


E KEY/SYBASE 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/DAT 


(#PCDATA) 


TABASE_PREFERENC 


(PC only) (Optional) Set value to 1 i 
number of rows to be returned per 
Sybase Database checks. 


E_KEY/SYBASE/DB_UDC_RESTRICTION 


f you want to specify a limit on the 
scan for custom 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/DATABASE_P 


(#PCDATA) 


REFERENC 


E_KEY/SYBASE/DB_UDC_LIMIT 


(PC only) Provide a value to define the number of rows to be 


returned per scan. 


/OPTION_PROFILES/OP1 
(DB. 


UDC. RESTRICTION, DB UDC LIMIT) 


[TION_PROFILE/SCAN/DAT 


TABASE_PREFERENCE_KEY/POS] 


FGRESOL 


/OPTION_PROFILES/OP1 
ION (#PCDATA) 


[TION_PROFILE/SCAN/DAT 


TABASE_PREFERENCE_KEY/POS] 


TGRESQL/DB_UDC_RESTRICT 


(PC only) Provide a value to define the number of rows to be 


returned per scan. 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/DATABASE_PREFERENCE_KEY/POSTGRESQL/DB_UDC_LIMIT 


(#PCDATA) 


(PC only) Provide a value to define the number of rows to be 


returned per scan. 


/OPTION_PROFILES/OP1 
(DB. 


UDC. RESTRICTION, DB UDC LIMIT) 


[TION_PROFILE/SCAN/DAT 


TABASE_ PREFERENCE KEY/SAPIO 


/OPTION_PROFILES/OP1 
(#PCDATA) 


TION_PROFILE/SCAN/DAT 


TABASE_PREFERENCE_KEY/SAPIQ/DB_UDC_RESTRICTION 


(PC only) Provide a value to define the number of rows to be 


returned per scan. 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/DATABASE_PREFERENCE_KEY/SAPIQ/DB_UDC_LIMIT (#PCDATA) 
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(PC only) Provide a value to define the number of rows to be 
returned per scan. 
/OPTION_PROFILES/OPTION_PROFILE/SCAN/DATABASE_PREFERENCE_KEY/DB2 


(DB_UDC_RESTRICTION, DB_UDC_LIMIT) 


/OPTION_PROFILES/OPTION_PROFIL 
(#PCDATA) 


(PC only) Set value to 1 if 


E/SCAN/DAT 


TABASE_P 


REFERENCE_KEY/DB2/DB_UDC_RESTRICTION 


you want to specify a limit on the number of rows 


to be returned per scan for custom IBM DB2 Database checks. The default 
value is 0. 
/OPTION. PROFILES/OPTION. PROFILE/SCAN/DATABASE. PREFERENCE. KEY/DB2/DB UDC LIMIT (#PCDATA) 
(PC only) Provide a value to define the number of rows to be 
returned per scan. The default value is 256 and maximum allowed limit is 
5000 rows. 
/OPTION. PROFILES/OPTION. PROFILE/SCAN/SYSTEM. AUTH. RECORD 
(ALLOW. AUTH. CREATIONJINCLUDE SYSTEM. AUTH) 
/OPTION. PROFILES/OPTION. PROFILE/SCAN/SYSTEM. AUTH RECORD/ALLOW. AUTH. CREATION 
(AUTHENTICATION TYPE LIST, IBM. WAS DISCOVERY MODE, ORACLE AUTHENTICATION. TEMPLATE 
/OPTION_PROFILES/OPTION_PROFILE/SCAN/SYSTEM_AUTH_RECORD/ALLOW_AUTH_CREATION/AUTHENTI 
CATION_TYPE_LIST (AUTHENTICATION_TYPE+) 
/OPTION_PROFILES/OPTION_PROFILE/SCAN/SYSTEM_AUTH_RECORD/ALLOW_AUTH_CREATION/AUTHENTI 
CATION_TYPE_LIST/AUTHENTICATION_TYPE (#PCDATA) 
(PC only) The option “Allow instance discovery and record creation” is 
enabled for Apache Web Server, IBM WebSphere App Server, Jboss Server, 
Tomcat Server and Oracle authentication types. 
/OPTION_PROFILES/OPTION_PROFILE/SCAN/SYSTEM_AUTH_RECORD/ALLOW_AUTH_CREATION/IBM_WAS_ 
DISCOVERY. MODE (#PCDATA) 
(PC only) Specify ibm. was discovery. mode with a value of “server. dir” to 
discover instances from the server directory or “installation. dir” to discover 
instances from the installation directory. 
(OPTION. PROFILES/OPTION. PROFILE/SCAN/SYSTEM. AUTH RECORD/ALLOW. AUTH. CREATION/ORACLE A 
UTHENTICATION. TEMPLATE (ID, TITLE) 
(OPTION. PROFILES/OPTION. PROFILE/SCAN/SYSTEM. AUTH RECORD/ALLOW. AUTH. CREATION/ORACLE A 
UTHENTICATION_TEMPLATE/ID (#PCDATA 
(PC only) The ID of the Oracle system record template selected when the 
option “Allow instance discovery and record creation” is enabled for Oracle 
authentication type. 
/OPTION_PROFILES/OPTION_PROFILE/SCAN/SYSTEM_AUTH_RECORD/ALLOW_AUTH_CREATION/ORACLE_A 


UTH 


ENTICATION_TEMPLATE/TITLE (#PCDATA) 


(PC only) The title of the 


option “Al 


authentication type. 


ow instance discovery and record creation” is enabled for O 


Oracle system record template selected when the 
acle 


/OPTION_PROFILES/OPTION_PROFILE/SCAN 


(ON_DUPLICATE_USE_USER_AUTH|ON_DUPLICATE_USE_SYSTEM_AUTH) 


/SYSTEM. AU'I 


FH RECORD/INCLUDE SYSTEM. AUTH 


(PC only) A value of 0 for “Include system authentication“ parameter 


indicates 


that user authentication record w: 


authentication scan. 


ill be selected for 


/OPTION. PROFILES/OPTION. PROFILE/SCAN/SYSTEM. AUTH. RECORD/INCLUI 


ATE USE USER AUTH (#PCDATA) 
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DE SYSTEM. AUTH/ON. DUPLIC 


XPath 


element specifications / notes 


(PC only) The option “Include system created authe 


scans” is enabled, and a value of 1 
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ntication records in 
indicates that the user created record 


will be used when there are 2 records for the same instance configuration. 


(OPTION. PROFILES/OPTION. PROFILE/SCAN/SYSTEM. AUTH. RECOR 
ATE USE SYSTEM. AUTH (#PCDATA) 


(PC only) The option “Inc 
scans” is enabled, and a value of 1 


will be used when there are 2 records for the same i 


ude system created authe 


D/INCLUDE. SYSTEM. AUTH/ON. DUPLIC 


ntication records in 
ndicates that the system created record 
nstance configuration. 


/OPTION. PROFILES/OPTION. PROFILE/SCAN/LITE OS SCAN (#PCDATA) 
(VM only) “0” means Lite OS detection is enabled; “1” means this feature is 
not enabled. 
(OPTION. PROFILES/OPTION. PROFILE/SCAN/CUSTOM HTTP HEADER 
(VALUE?, DEFINITION. KEY?, DEFINITION. VALUE?) 
/OPTION. PROFILES/OPTION. PROFILE/SCAN/CUSTOM. HTTP. HEADER/VALUE (#PCDATA) 
(VM only) “0” means a custom HTTP header key is defined (used for many 
CGI and Web application fingerprinting checks); “1” means this feature is 
not enabled. 
/OPTION_PROFILES/OPTION_PROFILE/SCAN/CUSTOM_HTTP_HEADER/ 
DEFINITION_KEY? (#PCDATA) 
(VM only) Key used in custom HTTP header. 
/OPTION_PROFILES/OPTION_PROFILE/SCAN/CUSTOM_HTTP_HEADER/ 
DEFINITION. VALUE (#PCDAT. 
(VM only) Key value used in custom HTTP header. 
/OPTION. PROFILES/OPTION. PROFILE/SCAN/ETHERNET. IP PROBING (#PCDATA) 
This flag is for Oualys Internal Use only. 
/OPTION. PROFILES/OPTION. PROFILE/SCANY/FILE. INTEGRITY. MONITORING 
(AUTO UPDATE EXPECTED. VALUE? 
/OPTION. PROFILES/OPTION. PROFILE/SCANY/FILE. INTEGRITY. MONITORING/AUTO UPDATE EXPECTED VAL 
UE (#PCDATA) 


option profile, the value ofthis ele 


is enabled or disabled. 


PC only) Specify 1 if you want to enable the option. When you export an 


ment indicates if the auto update option 


/OPTION_PROFILES/OP1 


FION. PROFILE/SCAN/CONTROL TYPES 
FIM. CONTROLS ENABLE 


D?, CUSTOM. WMI OUERY CHECKS?) 


/OPTION_PROFILES/OP1 


FIM CONTROLS ENABLED (#PCDATA) 


FION. PROFILE/SCAN/CONTROL TYPES/ 


PC only 
means these controls are enabled. 


feature. Please configure using Ou 


“0” means File Integrity Monitoring controls are disabled; “1” 


Note: An Import Option Profile API call does not import policies for this 


alys portal UI. 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/CONTROL_TYPES/ 


CUSTOM_WMI_QUERY_ 


CHECKS (4PCDATA) 


(PC only) “0” means Custom WMI Query Checks controls are disabled; “1” 


means these controls are enabled. 


/OPTION_PROFILES/OPTION_PROFILE/SCAN/DO_NOT_OVERWRITE_OS (#PCDATA) 


117 


Gualys API (VM, PC) XML/DTD Reference 
Chapter 3 - Scan Configuration XML 


XPath element specifications / notes 


(VM only) Specify 1 if you want to enable the option. When you export an 
option profile, the value of this element indicates if the Do Not Overwrite 
OS option is enabled or disabled. 


/OPTION. PROFILES/OPTION. PROFILE/SCAN/TEST. AUTHENTICATION (#PCDATA) 


(VM only) Specify 1 if you want to enable the option. When you export an 
option profile, the value of this element indicates if the Test Authentication 
option is enabled or disabled. 


/OPTION. PROFILES/OPTION. PROFILE/MAP 


(BASIC. INFO GATHERING ON, TCP. PORTS?, UDP PORTS?, 
MAP OPTIONS?, MAP PERFORMANCE, MAP. AUTHENTICATION?) 


/OPTION. PROFILES/OPTION. PROFILE/MAP/BASIC. INFO GATHERING ON (#PCDATA) 


(VM only) Perform basic information gathering on, one of: all (all hosts 
detected by the map), registered (hosts in your account), netblock (hosts 
added to a netblock in your account), none 


/OPTION_PROFILES/OPTION_PROFILE/MAP/TCP_PORTS 
TCP_PORTS_STANDARD_SCAN?, TCP. PORTS. ADDITIONAL?) 
/OPTION. PROFILES/OPTION. PROFILE/MAP/TCP. PORTS/TCP. PORTS STANDARD SCAN (4PCDATA) 


VM only) 1 means standard TCP port scan (about 13 ports) is enabled; 0 
means standard TCP port scan is disabled. 


(OPTION. PROFILES/OPTION. PROFILE/MAP/TCP. PORTS/TCP. PORTS ADDITIONAL 


(HAS ADDITIONAL?, ADDITIONAL PORTS?) 


/OPTION. PROFILES/OPTION. PROFILE/MAP/TCP. PORTS/TCP PORTS. ADDITIONAL/ 
HAS ADDITIONAL (#PCDATA 


VM only) 1 means additional TCP ports defined; 0 means additional TCP 
ports not defined. 


/OPTION. PROFILES/OPTION. PROFILE/MAP/TCP. PORTS/TCP. PORTS. ADDITIONAL/ 
ADDITIONAL PORTS (#PCDATA) 


VM only) List of additional TCP ports. 
/OPTION. PROFILES/OPTION. PROFILE/MAP/UDP PORTS 
UDP PORTS STANDARD SCAN?, UDP PORTS. ADDITIONAL?) 


(OPTION. PROFILES/OPTION. PROFILE/MAP/UDP PORTS/UDP. PORTS STANDARD SCAN (4PCDATA) 


(VM only) 1 means standard UDP port scan (about 6 ports) is enabled; 0 
means standard UDP port scan is disabled. 


/OPTION. PROFILES/OPTION. PROFILE/MAP/UDP PORTS/UDP. PORTS. ADDITIONAL 


(HAS ADDITIONAL?, ADDITIONAL PORTS? 


/OPTION. PROFILES/OPTION. PROFILE/MAP/UDP PORTS/UDP. PORTS. ADDITIONAL/ 
HAS ADDITIONAL (#PCDATA 


(VM only) 1 means additional UDP ports defined; 0 means additional UDP 
ports not defined. 


/OPTION_PROFILES/OPTION_PROFILE/MAP/TCP_PORTS/TCP_PORTS_ADDITIONAL/ 
ADDITIONAL_PORTS (#PCDATA) 


(VM only) List of additional UDP ports. 
/OPTION_PROFILES/OPTION_PROFILE/MAP/MAP_OPTIONS 
(PERFORM_LIVE_HOST_SWEEP?, DISABLE_DNS_TRAFFIC?) 

/OPTION_PROFILES/OPTION_PROFILE/MAP/MAP_OPTIONS/PERFORM_LIVE_HOST_SWEEP (#PCDATA) 
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VM only) “0” me 


this option is disabled. 


ans Perform Live Host Sweep option is enabled; “1” means 


/OPTION_PROFIL 


ES/O 


PTION PROF 


VM only) “0” me 


option is disabled. 


LE/MAP/MAP OPTIONS/DISABLE. DNS. TRAFFIC (#PCDATA) 


ans Disable DNS Traffic option is enabled; “1” means this 


/OPTION_PROFIL 


ES/O 


DT 


[ION PROF 
OVERALL PERFORMANCE, MAP PARALLEL?, PACKET. DELAY) 


LE/MAP/MAP P 


ERFORMANCE 


/OPTION_PROFIL 
OVERAL 


ES/O 


DER 


DT 


FION. PROF 
RMANCE (4PCDATA) 


LE/MAP/MAP P 


VM only) Overal 
and speed. 
igh - Opti 
firewalls and oth 
Low - Optimized 
to complete. 


mized for s 


ERFORMANCE/ 


map performance level, one of: 


Normal - Recommended in most cases, well balanced between intensity 


peed; may be faster to complete but may overload 
er networking devices. 
for low bandwidth network connections, may take longer 


/OPTION_PROFIL 


ES/OPT 


ON_PROF 


LE/MAP/MAP_P 
(EXTERNA 


_ SCANNERS. 


ERFORMANCE /MAP_PARALLEL 


, SCANNER_APPLIANCES, NETBLOCK_SIZE) 


/OPTION_PROFIL 


EXT 


ERNAL_SCANNERS 


ESO 


ON_PROF 
#PCDATA) 


(VM only) Maximum nu 
external) scanne 


LE/MAP/MAP_P 


cloud 


ERFORMANCE /MAP_PARALLEL/ 


mber of netblocks to map in parallel using Qualys 
s. 


/OPTION_PROFIL 
SCANNER_APPLIANCES (#PCDATA) 


ES/OPT 


ON PROF 


LE/MAP/MAP P 


(VM on 
Scanne 


ERFORMANCE /MAP_PARALLEL/ 


y) Maximum number of netblocks to map in parallel using Qualys 
Appliances, installed on your internal network. 


/OP1 


NETBLOCK_SIZE (#PCDATA) 


TION_PROFILES/OPTION_PROFILE/MAP/MAP_PERFORMANCE /MAP_PARALLEL/ 


VM only) Maximum number of IPs per netblock to map in parallel per 
scanner. 
/OPTION_PROFILES/OPTION_PROFILE/MAP/MAP_PERFORMANCE /PACKET_DELAY (#PCDATA) 
VM only) Delay between groups of packets sent to the netblocks being 
mapped. With short delya packets are sent more frequently resulting in 
more bandwidth utilization and shorter mapping time. With long delay, 
packets are sent less frquently, resulting in less bandwidth utilization and 
onger mappinig time. 
/OPTION_PROFILES/OPTION_PROFILE/MAP/MAP_AUTHENTICATION (#PCDATA) 
(VM only) 1 means VMware authentication is enabled for maps; 0 means 
this option is disabled. 
/OPTION_PROFILES/OPTION_PROFILE/ADDITIONAL 
HOST. DISCOVERY, BLOCK_RESOURCES?, PACKET. OPTIONS?) 
/OPTION. PROFILES/OPTION. PROFILE/ADDITIONAL/HOST. DISCOVERY 
(TCP. PORTS?, UDP PORTS?, ICMP?) 
/OPTION. PROFILES/OPTION. PROFILE/ADDITIONAL/HOST. DISCOVERY/TCP. PORTS 
(STANDARD. SCAN?, TCP. ADDITIONAL?) 
(OPTION. PROFILES/OPTION. PROFILE/HOST. DISCOVERY/TCP. PORTS/STANDARD. SCAN 


1 means standard TCP ports (13 ports) are scanned during host discovery; 
O means standard TCP port scan option is not enabled. 
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element specifications / notes 
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/OPTION_P 
(HAS_ADDI 


ROFILES/OP'I 
TIONAL?, AD 


ON 


_PROFILE/ADDITIONAL/H 
DITIONAL_PORTS?) 


051 


[ DISCOVE 


RY/TCP. PORTS/TC 


P ADDITIONAL 


/OPTION_P 
HAS ADDI'I 


ROFILES/OP'I 


ON 


_PROFILE/ADDITIONAL/H 
TIONAL (#PCDATA) 


051 


[ DISCOVE 


ROC RERORTSHIG 


1 means additional TCP ports are scanned during hos 
no additional TCP ports are defined for host discovery. 


P_ADDITIONAL/ 


t discovery; 0 means 


/OPTION_PROFILES/OPT 


ADDITIONAL PORTS (PC 


ON. PROFILE/AD 


DATA) 


List of addi 


DITIONAL/HOS' 


tional TC 


[ DISCOVE 


RY/TCP_PORTS/TC 


P_ADDITIONAL/ 


P ports that are scanned during host discovery. 


/OPTION_PROFILES/OP1 
(STANDARD_SCAN|CUS 


_PROFILE/AD) 


DITIONAL/HOS] 


P_DISCOVERY/UDP _ 


PORTS 


/OPTION_PROFILES/OP1 
STANDARD_SCAN (#PC 


DATA) 


_PROFILE/AD) 


eans s 


means st 


DITIONAL/HOS] 


andard U 


tandard UD 


P_DISCOVERY/UDP_ 


DP ports (6 ports) are sc 
P port scan option is no 


PORTS/ 


t enabled. 


anned during host discovery; 0 


ROFILES/OP' 
PCDATA) 


E/ADI 


Custom 


DITIONAL/HOS] 


list of 


P_DISCOV 


UDP ports that are 


ERY/UDP_PORTS/ 


scanned during host discovery. 


_PROFILES/OPT 


E/AD 


un» 


means 
orts are n 


DITIONAL/HOST 


ot sca 


[ DISCOV 


ERY/ICMP 


discovery. 


CMP ports are scanned during host discovery; “1” means these 
nned during host 


/OPTION. PROFILES/OPT 


E/ADI 


DIT 


L/BLOCK RESOU 


RGES 


(ALL. RE 


WATCHGU 


ONA 
ARD 


DEFAULT_BLOCKED_PORTS|CUSTOM_PORT_LIST), 
GISTERED_IPS|CUSTOM_IP_LIST)) 


/OPTION_PROFILES/OP1 


WATCHGUARD DEFAULI 


[ B 


_PROFILE/AD 
LOCKED_POR1 


1 
will not 


E 
A 
DATA) 


DITION 
PS (EPC 


be 


L/BLOCK_RESOU 


RCES/ 


means WatchGuard Firebox System series default ports are blocked and 
scanned; O means these ports are not blocked. 


/OPTION_PROFILES/OPT 


ON_PROFILE/AD 


CUSTOM PORT. LIST (#PCDATA) 


DITIONAL/BLOCK_RESOURCES/ 


1 means a custom list of blocked ports is defined and these ports will not be 
scanned; 0 means a custom list of blocked ports is not defined. 


/OPTION_PROFILES/OPTION_PROFILE/AD 
ALL_REGISTERED_IPS (#PCDATA) 


DITIONAL/BLOCK_RESOURCES/ 


1 means all registered IP addresses protected by your firewall/IDS are 
blocked and will not be scanned; 0 means all registered IP addresses are not 


blocked. 


/OPTION_PROFILES/OPTION_PROFILE/AD 
CUSTOM_IP_LIST (#PCDATA) 


Custom 
are bloc 


ked and will not be sc 


a 


DITIONAL/BLOCK_RESOURCES/ 


nned. 


list of registered IP addresses protected by your firewall/IDS that 


/OPTION_PROFILES/OPTION_PROFILE/AD 


DITIONAL/PACKET_OP1 


TIONS 


(IGNORE_FIREWALL_GENERATED_TCP_RST?, IGNORE_ALL_TCP_RST?, 


IGNORE 


_FIREWALL_GENERATE 
NOT SEND TCP ACK OR SYN 


DRRGRES ANAC Kas 


ACK_DURING_HOST_DISCOVERY? 


/OPTION_PROFILES/OPTION_PROFILE/ADDITIONAL/PACKET_O 
IGNORE_FIREWALL_GENERATED_TCP_RST (#PCDATA) 
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“0” means scans will try to identify firewall generated TCP RST packets and 


ignore them when found; “1” means scans will not try to identify and ignore 
TCP RST packets. 


/OPTION_PROFILES/OPTION_PROFILE/ADDITIONAL/PACKET_OPTIONS/ 


IGNORE_ALL_TCP_RST (#PCDATA 
Applies t 


un 


o maps only) 


means maps will ignore all TCP RST packets, both 
firewall generated and live hist generated; “false” means maps do not 
ignore these packets. 


/OPTION_PROFILES/OPTION_PROFILE/ADD 


IGNORE_FIREWALL_GENERATED_TCP_SYN_ACK (#PCDATA) 


tempt to determ 
nd ignore those packets that appear to 
from such devices; “1” means scans do not try to ignore packets 
tering devices. 


“0” means scans at 
generated by a filtering device a 


originate 


that appear to origi 


TIONAL/PACKET_OPT 


nate from fil 


ONS/ 


ine if TCP SYN-ACK packets are 


/OPTION_PROFILES/OPTION_PROFILE/ADD 


TIONAL/PACKET_OPT 


ONS/ 


NOT SEND TCP ACK OR SYN ACK DURING HOST DISCOVERY (#PCDATA) 


“0” means scans do not send TCP ACK or SYN-ACK packets during host 
discovery; “1” means scans send these packets. (Valid only when 


THREE_WAY_HANDSHAKE is disab 


ed.) 


/OPTION_PROFILES/OPT 


ON_PROFILE/INSTANCE_DAT 


TA COLLECTION (DATABASES?) 


/OPTION. PROFILES/OPT 
(AUTHENTICATION. TYPES LIST) 


ON. PROFILE/INSTANCE. DATA COLLECTION/DATABASES 


(OPTION. PROFILES/OPTION. PROF 
S LIST/AUTHENTICATION. TYPE 


LE/INSTANCE. DATA COLLEC 
AUTHENTIGAT 


Database instance type for which OS-auth-based data collection is enabled. 


ON TYPE+ 


ION/DATABASES/AUTHENTICATION TYPE 


(OPTION. PROFILES/OPTION. PROF 


LE/OS BASED. 


NSTANCE_ 


DISC_COLLECTION (TECHNOLOGIES?) 


/OPTION_PROFILES/OPT 
(TECHNOLOGY +) 


ON_PROF 


LE/OS_BASED_ 


NSTANCE_ 


DISC_COLLEC 


ION/TECHNOLOGIES 


/OPTION. PROFILES/OPT 
OGY (#PCDATA) 


ON_PROF 


OS-based instance di 
ection is enabled. 


col 


LE/OS_BASED_ 


NSTANCE_ 


DiISGaG ORE: 


scovery technologies 


ION/TECHNOLOGIES/TECHNOL 


for which OS-auth-based data 
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Chapter 4 - Scan Authentication XML 


This section describes the XML output returned from Scan Authentication API reguests. 
Authentication Record List Output 

Authentication Record List by Type Output 

Authentication Vault List Output 

Authentication Vault View Output 
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Authentication Record List Output 


API used 
<platform API server>/api/2.0/fo/auth/ with action=list 


DTD for Auth Record List Output 
<platform API server>/api/2.0/fo/auth/auth_records.dtd 


A recent DTD is shown below. 


<!-- QUALYS AUTH RECORDS OUTPUT DTD ==> 
<!-- SRevision$ --> 
<!ELEMENT AUTH RECORDS OUTPUT (REOUEST?, RESPONSE) > 


<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?)> 
<!ELEMENT DATETIME (#PCDATA) > 

<!ELEMENT USER LOGIN (#PCDATA) > 

<!ELEMENT RESOURCE (#PCDATA) > 

<!ELEMENT PARA | LIST (PARAM+) > 

<!ELEMENT PARA (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 

<!ELEMENT VALUE (#PCDATA) > 

<!-- if returned, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 


zo] 


<!ELEMENT RESPONSE (DATETIME, AUTH RECORDS?, WARNING LIST?) > 
<!ELEMENT AUTH RECORDS (AUTH UNIX IDS?, AUTH WINDOWS IDS?, 

AUTH ORACLE IDS?, AUTH ORACLE LISTENER IDS?, AUTH SNMP IDS?, 

AUTH MS SOL IDS?, AUTH IBM DB2 IDS?, AUTH VMWARE IDS?, AUTH MS IIS IDS?, 
AUTH APACHE IDS?, AUTH IBM WEBSPHERE IDS?, AUTH HTTP IDS?, 

AUTH SYBASE IDS?, AUTH MYSOL IDS?, AUTH TOMCAT IDS?, 

AUTH ORACLE WEBLOGIC IDS?, AUTH DOCKER IDS?, AUTH POSTGRESOL IDS?, 
AUTH MONGODB IDS?, AUTH PALO ALTO FIREWALL IDS?, AUTH VCENTER IDS?, 
AUTH JBOSS IDS?, AUTH MARIADB IDS?, AUTH INFORMIXDB IDS?, 

AUTH MS EXCHANGE IDS?, AUTH ORACLE HTTP SERVER IDS?, AUTH GREENPLUM IDS?, 
AUTH MICROSOFT SHAREPOINT IDS?,AUTH KUBERNETES IDS?, AUTH SAPIO IDS?, 
AUTH SAP HANA IDS?, AUTH NEO4J IDS?, AUTH AZURE MS SOL IDS?, 

AUTH NETWORK SSH IDS?)> 

<!ELEMENT AUTH UNIX IDS (ID SET)> 

<!ELEMENT AUTH WINDOWS IDS (ID SET)> 

<!ELEMENT AUTH ORACLE IDS (ID SET)> 

<!ELEMENT AUTH ORACLE LISTENER IDS (ID SET)> 

<!ELEMENT AUTH SNMP IDS (ID SET) 

<!ELEMENT AUTH MS SOL IDS (ID SET)> 

<!ELEMENT AUTH IBM DB2 IDS (ID SET)> 

<!ELEMENT AUTH VMWARE IDS (ID SET)> 

<!ELEMENT AUTH MS IIS IDS (ID SET)> 

<!ELEMENT AUTH APACHE IDS (ID SET)> 

<!ELEMENT AUTH IBM WEBSPHERE IDS (ID SET)> 

<!ELEMENT AUTH HTTP IDS (ID SET)> 
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<!ELEMENT AUTH SYBASE IDS (ID SET)> 
<!ELEMENT AUTH MYSOL IDS (ID SET)> 
<!ELEMENT AUTH TOMCAT IDS (ID SET)> 
<!ELEMENT AUTH ORACLE WEBLOGIC IDS (ID S 
<!ELEMENT AUTH DOCKER IDS (ID SET)> 
<!ELEMENT AUTH POSTGRESOL IDS (ID SET)> 
<!ELEMENT AUTH MONGODB IDS (ID SET)> 
<!ELEMENT AUTH PALO ALTO FIREWALL IDS (1 
<!ELEMENT AUTH VCENTER IDS (ID SET)> 
<!ELEMENT AUTH JBOSS IDS (ID SET)> 
<!ELEMENT AUTH MARIADB IDS (ID SET)> 
<!ELEMENT AUTH INFORMIXDB IDS (ID SET)> 
<!ELEMENT AUTH MS EXCHANGE IDS (ID SET)> 
<!ELEMENT AUTH ORACLE HTTP SERVER IDS (1 
<!ELEMENT AUTH GREENPLUM IDS (ID SET)> 
<!ELEMENT AUTH MICROSOFT SHAREPOINT IDS 
<!ELEMENT AUTH KUBERNETES IDS (ID SET)> 
<!ELEMENT AUTH SAPIQ IDS (ID SET)> 
<!ELEMENT AUTH SAP HANA IDS (ID_SET)> 
<!ELEMENT AUTH NEO4J_IDS (ID_SET)> 
<!ELEMENT AUTH AZURE MS SQL IDS (ID_SET) 
<!ELEMENT AUTH NETWORK SSH IDS (ID SET)> 
<!ELEMENT WARNING LIST (WARNING+) > 
<!ELEMENT WARNING (CODE?, TEXT, URL?, ID 
<!ELEMENT CODE (#PCDATA) > 

<!ELEMENT TEXT (#PCDATA) > 

<!ELEMENT URL (#PCDATA) > 

<!ELEMENT ID SET (ID|ID RANGE) +> 
<!ELEMENT ID (#PCDATA) > 

<!ELEMENT ID RANGE (#PCDATA) > 

<!-- EOF --> 
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(ID_SET) > 
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XPaths for Authentication Record List Output 


XPath element specifications / notes 
/AUTH. RECORDS OUTPU (REOUEST?, RESPONSE) 


/AUTH. RECORDS OUTPUT/REOUEST 
(DATETIME, USER. LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 
/AUTH RECORDS OUTPUT/REOUEST/DATETIME — (4PCDATA) 


The date and time of the API request. 


/AUTH RECORDS OUTPUT/REOUEST/USER LOGIN (#PCDATA) 


[he user login ID of the user who made the request. 
/AUTH RECORDS OUTPUT/REOUEST/RESOURCE (4PCDATA) 


The resource specified for the request. 
PUT/REOUEST/PARAM LIST (PARAM+) 
PUT/REQUEST/PARAM_LIST/PARAM (KEY, VALUE) 
PUT/REOUEST/PARAM LIST/PARAM/KEY (#PCDATA) 
An input parameter name. 
/AUTH RECORDS OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE  (#PCDATA) 
An input parameter value. 

/AUTH RECORDS OUTPUT/REOUEST/POST DATA  (#PCDATA) 

The POST data, if any. 


/AUTH. RECORDS 0 
/AUTH. RECORDS O 
/AUTH. RECORDS O 


G 


E 
bas) 


G 


Authentication Record List Output: Response 


XPath element specifications / notes 
/AUTH_RECORDS_OUTPU (REQUEST?, RESPONSE) 
/AUTH_RECORDS_OUTPUT/RESPONSE 


(DATETIME, AUTH_RECORDS?, WARNING LIST?) 
/AUTH_RECORDS_OUTPUT/RESPONSE/DATETIME (#PCDATA) 


The date and time of the response. 
/AUTH_RECORDS_OUTPUT/RESPONSE/AUTH_RECORDS 


(AUTH UNIX IDS?, AUTH. WINDOWS IDS?, AUTH ORACLE IDS?, 
UTH. ORACLE LISTENER IDS?, AUTH. SNMP IDS?, AUTH MS SOL IDS?, 
UTH IBM DB2 IDS?, AUTH. VMWARE IDS?, AUTH MS IIS IDS?, 
UTH APACHE IDS?, AUTH IBM WEBSPHERE IDS?, AUTH HTTP IDS?, 
UTH. SYBASE IDS?, AUTH MYSOL IDS?, AUTH. TOMCAT IDS?, 
UTH_ORACLE_WEBLOGIC_IDS?, AUTH_DOCKER_IDS?, 
UTH_POSTGRESQL_IDS?, AUTH. MONGODB IDS?, 
PALO ALTO FIREWALL IDS?, AUTH VCENTER IDS?, 
UTH JBOSS IDS?, AUTH_MARIADB_IDS?, 


UT FORMIXDB IDS?, AUTH MS EXCHANGE IDS?, 


UTH ORACLE HTTP SERVER IDS?, AUTH. GREENPLUM IDS?, 
UTH MICROSOFT. SHAREPOINT. IDS?, AUTH_KUBERNETES IDS?, 
UTH. SAPIO IDS?, AUTH SAP HANA IDS?, AUTH_NEO4J_IDS?, 


UTH AZURE MS SOL IDS?, AUTH NETWORK SSH IDS?) 
/AUTH RECORDS OUTPUT/RESPONSE/AUTH. RECORDS/AUTH UNIX IDS (ID SET) 


ee ee ee ee ee ee 
J 


A set of Unix and Cisco authentication record IDs. 
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UTH RECORDS OUTPUT/RESPONSE/AUTH RECORDS/AUTH. WINDOWS IDS (ID SET) 


A set of Windows authentication record IDs. 


UTH RECORDS OUTPUT/RESPONSE/AUTH RECORDS/AUTH ORACLE IDS (ID SET) 


A set of Oracle authentication record IDs. 


UTH RECORDS OUTPUT/RESPONSE/AUTH RECORDS/AUTH ORACLE LISTENER IDS (ID SET) 


A set of Oracle Listener authentication record IDs. 


UTH RECORDS OUTPUT/RESPONSE/AUTH. RECORDS/AUTH SNMP IDS (ID SET) 


A set of SNMP authentication record IDs. 


UTH RECORDS OUTPUT/RESPONSE/AUTH RECORDS/AUTH MS SOL IDS (ID SET) 
A set of MS SOL authentication record IDs. 


UTH RECORDS OUTPUT/RESPONSE/AUTH. RECORDS/AUTH IBM DB2 IDS (ID SET) 


A set of IBM DB2 authentication record IDs. 


UTH RECORDS OUTPUT/RESPONSE/AUTH RECORDS/AUTH VMWARE IDS - (ID SET) 


A set of VMware authentication record IDs. 


UTH RECORDS OUTPUT/RESPONSE/AUTH. RECORDS/AUTH AUTH MS IIS IDS (ID SET) 


A set of Microsoft IIS Web Server authentication record IDs. 


UTH RECORDS OUTPUT/RESPONSE/AUTH. RECORDS/AUTH APACHE IDS? (ID SET) 


A set of Apache Web Server authentication record IDs. 


UTH RECORDS OUTPUT/RESPONSE/AUTH. RECORDS/AUTH IBM WEBSPHERE IDS (ID SET) 


A set of IBM WebSphere Application Server authentication record IDs. 


UTH RECORDS OUTPUT/RESPONSE/AUTH. RECORDS/AUTH HTTP IDS (ID SET) 


A set of HTTP authentication record IDs. 


UTH RECORDS OUTPUT/RESPONSE/AUTH. RECORDS/AUTH SYBASE IDS (ID SET) 


A set of Sybase authentication record IDs. 


UTH_RECORDS_OUTPUT/RESPONSE/AUTH_RECORDS/AUTH_MYSQL_IDS_ (ID SET) 


A set of MySQL authentication record IDs. 


UTH RECORDS OUTPUT/RESPONSE/AUTH. RECORDS/AUTH TOMCAT IDS (ID SET) 


A set of Tomcat Server authentication record IDs. 


UTH RECORDS OUTPUT/RESPONSE/AUTH. RECORDS/AUTH ORACLE WEBLOGIC IDS (ID SET) 


A set of Oracle WebLogic Server authentication record IDs. 


e 
UTH RECORDS OUTPUT/RESPONSE/AUTH. RECORDS/AUTH DOCKER IDS (ID SET) 


A set of Docker authentication record IDs. 


UTH RECORDS OUTPUT/RESPONSE/AUTH. RECORDS/AUTH. POSTGRESSOL IDS (ID SET) 


A set of PostgresSQL authentication record IDs. 


UTH RECORDS OUTPUT/RESPONSE/AUTH. RECORDS/AUTH. MONGODB IDS (ID SET) 


A set of MongoDB authentication record IDs. 


UTH RECORDS OUTPUT/RESPONSE/AUTH. RECORDS/AUTH PALO ALTO FIREWALL IDS (ID SET) 


A set of Palo Alto Firewall authentication record IDs. 


UTH RECORDS OUTPUT/RESPONSE/AUTH. RECORDS/AUTH VCENTER IDS (ID SET) 


This element will not appear in XML output at this time. This is pre-release 
functionality scheduled for a future release related to VMware vCenter 
authentication support. 
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element specifications / notes 
PONSE/AUTH. RECORDS/AUTH JBOSS IDS (ID SET) 


A set of JBoss Server authentication record IDs. 


PONSE/AUTH_RECORDS/AUTH_MARIADB_IDS (ID_SET) 


A set of MariaDB authentication record IDs. 


PONSE/AUTH_RECORDS/AUTH_INFORMIXDB_IDS (ID_SET) 


A set of InformixDB Server authentication record IDs. 


PONSE/AUTH_RECORDS/AUTH_MS_EXCHANGE_IDS (ID_SET) 


A set of MS Exchange Server authentication record IDs. 


PONSE/AUTH_RECORDS/AUTH_ORACLE_HTTP_SERVER_IDS (ID_SET) 


A set of Oracle HTTP Server authentication record IDs. 


PONSE/AUTH_RECORDS/AUTH_GREENPLUM_IDS (ID. SET) 


A set of Pivotal Greenplum authentication record IDs. 


PONSE/AUTH. RECORDS/AUTH MICROSOFT. SHAREPOINT. IDS (ID SET) 


A set of Microsoft SharePoint authentication record IDs. 


PONSE/AUTH_RECORDS/AUTH_KUBERNETES_IDS (ID SET) 


A set of Kubernetes authentication record IDs. 


PONSE/AUTH_RECORDS/AUTH_SAPIQ_IDS (ID SET) 


A set of SAP IQ authentication record IDs. 


PONSE/AUTH. RECORDS/AUTH SAP HANA IDS (ID SET) 


A set of SAP Hana authentication record IDs. 


RESPONSE/AUTH_RECORDS/AUTH_NEO4J_IDS (ID SET) 


A set of Ne04j authentication record IDs. 


/RESPONSE/AUTH. RECORDS/AUTH AZURE MS SOL IDS (ID SET) 


A set of Azure MS SOL authentication record IDs. 


/RESPONS 


A set of Network SSH authentication record IDs. 


/RESPONSE/AUTH_RECORDS/AUTH_NGINX_IDS? (ID_SET) 


A set of Nginx authentication record IDs. 


Authenticati 


on Record List Output: Warning List 


element specifications / notes 


E 
Rn 


PONSE/WARNING LIST (WARNING+) 


(E 
Sk 


E/AUTH_RECORDS/AUTH_NETWORK_SSH_IDS? (ID_SET) 


PONSE/WARNING_LIST/WARNING (CODE?, TEXT, URL?, ID SET?) 


EP; 
hr 


PONSE/WARNING LIST/WARNING/CODE (#PCDATA) 


more than 1,000 records. 


PONSE/WARNING LIST/WARNING/TEXT  (*PCDATA) 


identifies more than 1,000 records. 


PONSE/WARNING LIST/WARNING/URL — (4PCDATA) 


A warning code. A warning code appears when the API reguest identifies 


A warning message. A warning message appears when the API reguest 


The URL for making another API reguest for the next batch of 


authentication records. 
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XPath 
/AUT 


/AUT 


element specifications / notes 
[FH RECORDS OUTPUT/RESPONSE/WARNING LIST/WARNING/ID SET  (ID|ID_RANGE) 


FH RECORDS OUTPUT/RESPONSE/WARNING LIST/WARNING/ID SET/ID (4PCDATA) 


An authentication record ID. 
[FH RECORDS. OUTPUT/RESPONSE/WARNING LIST/WARNING/ID. SET/ID. RANGE 


/AUT 


(#PCDATA) 
A range of authentication record IDs. 
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Authentication Record List by Type Output 


API used 


<platform API server>/api/2.0/fo/auth/<type>/ with action=list 


where <type> is an authentication type, such as: unix, windows, oracle, oracle listener, 
snmp, ms_sql, mysql, etc. 


DTD for Authentication Record List by Type Output 
<platform API server>/api/2.0/fo/auth/<type>/auth_<type>_list_output.dtd 


Some authentication record lists follow this format for the DTD path: 


<platform API serve 


r>/api/2.0/fo/auth/<type>/dtd/auth list output.dtd 


A recent DTD for Windows is shown below. 


<!-- OUALYS 


<!ELEMENT A 


AUTH WINDOWS LIST OUTPUT DTD --> 


UTH WINDOWS LIST OUTPUT (REOUEST?, RESPONSE) > 


<!ELEMENT R 


EOUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 


<!ELEM 


POST DATA?)> 
ENT DATETIME (#PCDATA) > 


<!ELEMENT USER LOGIN (#PCDATA) > 


<!ELEMENT R 


ESOURCE (#PCDATA) > 


<!ELEMENT PARAM LIST (PARAM+) > 
<!ELEMENT PARAM (KEY, VALUE) > 


<!ELEMENT K 


EY (#PCDATA) > 


<!ELEMENT VALUE (#PCDATA) > 
<!-- if returned, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 


<!ELEMENT R 


ESPONSE (DATETIME, (AUTH WINDOWS LIST|ID SET) ?, WARNING LIST?, 


GLOSSARY?) > 
<!ELEMENT A 


<!-- If WIN 


UTH WINDOWS LIST (AUTH WINDOWS+) > 


DOWS DOMAIN is set, then IP SET is optional (not specified 


means servi 


<!ELEMENT A 


ce selects IPs) --> 7 


UTH WINDOWS (ID, TITLE, USERNAME, NTLM?, NTLM v2?, KERBEROS?, 


WINDOWS DOMAIN?, WINDOWS AD DOMAIN?, WINDOWS AD TRUST?, IP SET?, TAGS?, 


DIGITAL VAULT?, NETWORK ID?, CREATED, LAST MODIFIED, 
USE AGENTLESS TRACKING?, MINIMUM SMB VERSION?, 


ITLE (#PCDATA) > 


SERNAME (#PCDATA) > 


TLM (#PCDATA) > 
TLM V2 (#PCDATA) > 


ERBEROS (# PCDATA) > 


REQUIRE_SMB_ 
<!ELEMENT I 
<!ELEMENT T 
<!E ‚EMENT U 
<!E EMENT N 
<!E EMENT N 
<!E EMENT K 
<!E EMENT W 
<!E EMENT W 


INDOWS DOMAIN (#PCDATA) > 
INDOWS AD DOMAIN (#PCDATA) > 


129 


<! 


<! 
<! 
<! 


<! 
<! 
<! 
<! 
<! 
<! 
<! 


<! 
<! 
DI 
VA 
VA 
VA 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 


<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 


<! 
<! 
<! 
<! 
<! 
<! 
<! 


Gualys API (VM, PC) XML/DTD Reference 
Chapter 4 - Scan Authentication XML 


ELEMENT WINDOWS AD TRUST (#PCDATA) > 
ELEMENT IP SET (IP|IP RANGE) +> 

ELEMENT IP (#PCDATA) > 

ELEMENT IP RANGE (#PCDATA) > 

ELEMENT TAGS (TAG TYPE, TAGS INCLUDE, TAGS EXCLUDE?) > 
ELEMENT TAG TYPE (#PCDATA) > 

ELEMENT TAGS INCLUDE (SELECTOR, TAG+)> 

ELEMENT SELECTOR (#PCDATA) > 

ELEMENT TAG (ID, NAME)> 

ELEMENT NAME (#PCDATA) > 

ELEMENT TAGS EXCLUDE (SELECTOR, TAG?)> 

ELEMENT LOGIN TYPE (#PCDATA) > 

ELEMENT DIGITAL VAULT (DIGITAL VAULT ID, DIGITAL VAULT TYPE, 
GITAL VAULT TITLE, VAULT FOLDER?, VAULT FILE?, VAULT SECRET NAME?, 
ULT SYSTEM NAME?, VAULT EP NAME?, VAULT EP TYPE?, VAULT EP CONT?, 
ULT NS TYPE?, VAULT NS NAME?, VAULT ACCOUNT NAME?, 
ULT AUTHORIZATION NAME?, VAULT TARGET NAME?) > 

ELEMENT DIGITAL VAULT ID (#PCDATA) > 

ELEMENT DIGITAL VAULT TYPE (#PCDATA) > 

ELEMENT DIGITAL VAULT TITLE (#PCDATA) > 

ELEMENT VAULT FOLDER (#PCDATA) > 

ELEMENT VAULT FILE (#PCDATA) > 

ELEMENT VAULT SECRET NAME (#PCDATA) > 

ELEMENT VAULT SYSTEM NAME (#PCDATA) > 

ELEMENT VAULT EP NAME (#PCDATA) > 

ELEMENT VAULT EP TYPE (#PCDATA) > 

ELEMENT VAULT EP CONT (#PCDATA) > 

ELEMENT VAULT NS TYPE (#PCDATA) > 

ELEMENT VAULT NS NAME (#PCDATA) > 

ELEMENT VAULT ACCOUNT NAME (#PCDATA) > 

ELEMENT VAULT AUTHORIZATION NAME (#PCDATA) > 

ELEMENT VAULT TARGET NAME (#PCDATA) > 

ELEMENT NETWORK ID (#PCDATA) > 

ELEMENT CREATED (DATETIME, BY)> 

ELEMENT BY (#PCDATA) > 

ELEMENT LAST MODIFIED (DATETIME) > 

ELEMENT COMMENTS (#PCDATA) > 

ELEMENT USE AGENTLESS TRACKING (#PCDATA) > 

ELEMENT MINIMUM SMB VERSION (#PCDATA) > 

ELEMENT REQUIRE SMB SIGNING (#PCDATA) > 

ELEMENT WARNING LIST (WARNING+) > 

ELEMENT WARNING (CODE?, TEXT, URL?, ID SET?)> 

ELEMENT CODE (*PCDATA) > 

ELEMENT TEXT (#PCDATA) > 

ELEMENT URL (#PCDATA) > 

ELEMENT ID SET (ID|ID_RANGE) +> 

ELEMENT ID RANGE (#PCDATA) > 
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<!ELEMENT USER LIST (USER+) > 

<!ELEMENT USER (USER LOGIN, FIRST NAME 
<!ELEMENT FIRST NAME (#PCDATA) > 
<!ELEMENT LAST NAME (#PCDATA) > 

<!-- EOF --> 


<, 
Dr 
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LAST NAME) > 


XPaths for Authentication Record List by Type Output 


ALI Record Types - common sections 


ja 


<TYPE> is the authentication type, such as unix, windows, oracle, snmp, ms sgl, ibm db2. 
XPath element specifications / notes 

/AUTH <TYPE> LIST OUTPU (REOUEST?, RESPONSE) 

/AUTH. <TYPE> LIST OUTPUT/REOUEST 

(DATETIME, USER. LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 
/AUTH <TYPE> LIST OUTPUT/REOUEST/DATETIME — (4PCDATA) 

The date and time of the API request. 
/AUTH_<TYPE>_LIST_OUTPUT/REQUEST/USER_LOGIN (#PCDATA) 

The user login ID of the user who made the request. 

/AUTH <TYPE> LIST OUTPUT/REOUEST/RESOURCE  (#PCDATA) 
The resource specified for the reguest. 
/AUTH <TYPE> LIST OUTPUT/REOUEST/PARAM LIST (PARAM+) 
/AUTH <TYPE> LIST OUTPUT/REOUEST/PARAM LIST/PARAM (KEY, VALUE) 
/AUTH <TYPE> LIST OUTPUT/REOUEST/PARAM LIST/PARAM/KEY  (#PCDATA) 

An input parameter name. 

/AUTH. <TYPE> LIST OUTPUT/REOUEST/PARAM. LIST/PARAM/VALUE  (*PCDATA) 

An input parameter value. 

/AUTH <TYPE> LIST OUTPUT/REOUEST/POST. DATA — (*PCDATA) 

The POST data, if any. POST data is urlencoded. 
/AUTH. <TYPE> LIST OUTPUT/RESPONSE 

(DATETIME, (AUTH_<TYPE>_LIST|ID_SET)?, WARNING LIST? GLOSSARY?) 
/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/DATETIME (#PCDATA) 

The date and time of the response. 
/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/AUTH_<TYPE>_LIST (AUTH_<TYPE>+) 
/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/AUTH_<TYPE>_LIST/AUTH_<TYPE> 

(ID, TITLE, <type-specific elements>, IP SET?, NETWORK_ID?, 

CREATED, LAST MODIFIED, COMMENTS?) 

/AUTH <TYPE> LIST OUTPUT/RESPONSE/AUTH <TYPE> LIST/AUTH <TYPE>/ID (4PCDATA) 

The authentication record ID. 

/AUTH <TYPE> LIST OUTPUT/RESPONSE/AUTH. <TYPE> LIST/AUTH <TYPE>/TITLE (#PCDATA) 

The authentication record title. 
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XPath element specifications / notes 
/AUTH <TYPE> LIST. OUTPUT/RESPONSE/AU <TYPE> LIST/AU <TYPE>/IP SET (IP|IP RANGE) 


/AUTH <TYPE> LIST. OUTPUT/RESPONSE/AU <TYPE> LIST/AU <TYPE>/IP.SET/IP (#PCDATA) 


An IP address saved in the authentication record. 
/AUTH. <TYPE> LIST. OUTPUT/RESPONSE/AU <TYPE> LIST/AUTH. <TYPE>/IP. SET/ 


A range of IP addresses saved in the authentication record. 
/AUTH <TYPE> LIST OUTPUT/RESPONSE/AU <TYPE> LIST/AU <TYPE>/NETWORK ID (4PCDATA) 


The network ID for the record. Applies when the networks feature is 
enabled. 


OUTPUT/RESPONSE/AU <TYPE> LIST/AU 
/AUTH <TYPE> LIST OUTPUT/RESPONSE/AUTH. <TYPE> LIST/AU 
) 


N 


YPE>/CREATED (DATETIME|BY) 
YPE>/CREATED/ 


A 


The date and time the authentication record was created. 


/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/AU <TYPE>_LIST/AU <TYPE>/CREATED/BY (#PCDATA) 


The user login ID of the user who created the authentication record. 
/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/AUTH_<TYPE>_LIST/AU <TYPE>/LAST_MODIFIED (DATETIME) 


/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/AU <TYPE>_LIST/AUTH_<TYPE>/LAST_MODIFIED/ 
DATETIME (#PCDATA) 


The date and time the authentication record was last modified. 
/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/AU <TYPE>_LIST/AU <TYPE>/COMMENTS (#PCDATA) 


User-provided notes (comments) saved in the record. 


Record Types with Tag Support 


ja 


<TYPE> is the authentication type, such as unix and windows 


XPath element specifications / notes 
/AUTH <TYPE> LIST OUTPUT/RESPONSE/AU <TYPE> LIST/AUTH. <TYPE>/TAGS 
(TAG TYPE, TAGS INCLUDE, TAGS EXCLUDE) 


/AUTH <TYPE> LIST OUTPUT/RESPONSE/AU <TYPE> LIST/AU <TYPE>/TAGS/TAG TYPE (#PCDATA) 


The tag asset type selected in the record: asset tags orip range tag rule. 
/AUTH. <TYPE> LIST OUTPUT/RESPONSE/AU SINA MISA <TYPE>/TAGS/TAGS. INCLUDE 


/AUTH. <TYPE> LIST. OUTPUT/RESPONSE/AUTH. <TYPE> LIST/AUTH. <TYPE>/TAGS/TAGS. INCLUDE 
SELECTOR (#PCDATA) 


The tag selector (any or all) for tags included in the record. 
/AUTH <TYPE> LIST OUTPUT/RESPONSE/AU <TYPE>_LIST/AUTH_<TYPE>/TAGS/TAGS_INCLUDE/TAG 


/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/AU <TYPE>_LIST/AUTH_<TYPE>/TAGS/TAGS_INCLUDE/TAG/ 
ID (#PCDATA) 


The ID of an asset tag in the included list. 


/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/AU <TYPE>_LIST/AUTH_<TYPE>/TAGS/TAGS_INCLUDE/TAG/ 
NAME (#PCDATA 


The name of an asset tag in the included list. 
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XPath element specifications / notes 


/AUTH <TYPE> LIST. OUTPUT/RESPONS 
(SELECTOR 


_LIS 


(AU <TYPE>/TAGS/TAGS_EXCLUD 


m 


/AUTH <TYPE> LIST OUTPUT/RESPONS 


_ LIS 


/AU <TYPE>/TAGS/TAGS_EXCLUDE 


The tag or all) for tags excluded in the record. 
/AUTH_<TYPE>_LIST_OUTPUT/RESPONS _LIST/AUTH_<TYPE>/TAGS/TAGS_EXCLUDE/TAG 
(ID, NAME) 


/AUTH_<TYPE>_LIST_OUTPUT/RESPONS 


AIS 


The ID of a 


tag in the 


excluded list. 


/AUTH_<TYPE>/TAGS/TAGS_EXCLUDE/TAG/ 


NAME (#PCDATA 


/AUTH_<TYPE>_LIST_OUTPUT/RESPONS LIS 
E 


rhe name o 


/AUTH_<TYPE>/TAGS/TAGS_EXCLUDE/TAG/ 


t tag in the excluded list. 


Unix Response 


Elements (in bold) for Unix, Cisco, and Checkpoint Firewall records are below. 


XPath element specifications / notes 


/AUTH_UNIX_LIST_OUTPUT/RESPONSE/AUTH_UNIX_LIST/AUTH_UNIX 


(ID, TITLE, USERNAME, SKIP_PASSWORD?, CLEARTEXT_PASSWORD?, 
TARGET TYPE?, (ROOT TOOL? |ROOT TOOL INFO LIST?) , ((RSA_PRIVATE 
KEY?, DSA PRIVATE KEY?) [PRIVATE KEY CERTIFICATE LIST?), 


PORT?, IP S 
CREATED, 


ET, TAGS?, LOGIN TYPE?, DIGITAL VAULT?, NETWORK. ID?, 
FIED, COMMENTS?, USE AGENTLESS TRACKING?, 


AGENTLESS TRACKING PATH? QUALYS SHELL ?) 


/AUTH UNIX LIST. OUTPUT/RESPONSE/AU'I 


The user a 


/AU 


H UNIX/USERNAME (#PCDATA) 


e used for authentication on target hosts. 


/AUTH UNIX LIST OUTPUT/RESPONSE/AU'I /AUTH UNIX/SKIP. PASSWORD (4PCDATA) 
Set to 1 if ski option enabled. 
/AUTH UNIX LIST. OUTPUT/RESPONSE/AU'I /AUTH_UNIX/ 


CLEARTEXT_PASSWORD (#PCDATA 


A flag indica 
authentication 


ting whether the C 
ecord. The valu 


eartext Password option is enabled in the 
e 1 indicates that the option is enabled. The 


va that the option is disabled. 
/AUTH_UNIX_LIST_OUTPUT/RESPONSE/AU /AUTH UNIX/TARGET. TYPE (4PCDATA) 

Al type of target for a Unix auth record. 
/AUTH_UNIX_LIST_OUTPUT/RESPONSE/AU /AUTH UNIX/ROOT TOOL (#PCDATA) 


Na tion tool configured for the record or None (no root 
delegati onfigured). 

/AUTH UNIX LIST. OUTPUT/RESPONSE/AU /AUTH_UNIX/ 

ROOT TOOL INFO LIST (ROOT_TOOL_ 

/AUTH UNIX LIST. OUTPUT/RESPONSE/AU /AUTH_UNIX/ 

ROOT_TOOL_INFO_LIST/ROO OOL_INFO TOOL, PASSWORD_INFO?) 


For Uni 


oot de 


egation tool configured for the record. 


/AUTH_UNIX_LIST_OUTPUT/RESPONSE/ w ale 
ROOT_TOOL_INFO_LIST/ROOT_TOOL_INFO/PASSWORD_INFO ( 


/AU 


UNIX/ 


DIGITAL VAULT?) 
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XPath element specifications / notes 
attribute: type (basic|vault) "basic" 
/AUTH_UNIX_LIST_OUTPUT/RESPONSE/AUTH_UNIX_LIST/AUTH_UNIX/RSA_PRIVATE_KEY 


Element no longer used. 
/AUTH_UNIX_LIST_OUTPUT/RESPONSE/AUTH_UNIX_LIST/AUTH_UNIX/DSA_PRIVATE_KEY 
Element no longer used. 


/AUTH UNIX LIST. OUTPUT/RESPONSE/AUTH UNIX LIST/A 
BRIVAMENSE ASE RE CATERAS M ERINVATEMISE MGE 


/AUTH_UNIX_LIST_OUTPUT/RESPONSE/AUTH_UNIX_LIST/AUTH_UNIX/ 
PRIVATE_KEY_CERTIFICATE_LIST/PRIVATE_KEY_CERTIFICATE/ 
(ID, PRIVATE_KEY_INFO, PASSPHRASE_INFO, CERTIFICATE?)+ 


/AUTH_UNIX_LIST_OUTPUT/RESPONSE/AUTH_UNIX_LIST/AUTH_UNIX/ 


PRIVATE_KEY_CERTIFICATE_LIST/PRIVA! E_KEY_CERTIFICA E/PRIVATE_KEY_INFO 
(PRIVATE_KEY|DIGITAL_VAULT 


H_UNIX/ 


Ti 
ps] 
= 
T 
S 
isi 
BE 


(Q) 


attribute: type (basic|vault) "basic" 
/AUTH_UNIX_LIST_OUTPUT/RESPONSE/AUTH_UNIX_LIST/AUTH_UNIX/ 


PRIVATE_KEY_CERTIFICATE_LIST/PRIVATE_KEY_CERTIFICATE/PRIVATE_KEY_INFO/PRIVATE_KEY 
attribute: type (rsa|dsa|ecdsajed25519) 


/AUTH_UNIX_LIST_OUTPUT/RESPONSE/AUTH_UNIX_LIST/AUTH_UNIX/ 
PRIVATE_KEY_CERTIFICATE_LIST/PRIVATE_KEY_CERTIFICATE/PASSPHRASE_INFO 
(PRIVATE_KEY|DIGITAL_VAULT 


attribute: type (basic|vault) "basic" 


/AUTH_UNIX_LIST_OUTPUT/RESPONSE/AUTH_UNIX_LIST/AUTH_UNIX/ 
PRIVATE_KEY_CERTIFICATE_LIST/PRIVATE_KEY_CERTIFICATE/CERTIFICATE 


attribute: type (x.509|openssh) 
/AUTH UNIX LIST. OUTPUT/RESPONSE/AUTH UNIX LIST/AUTH UNIX/PORT (#PCDATA) 
p 


A list of custom ports defined for compliance scanning (authentication and 
compliance assessment). 


/AUTH UNIX LIST. OUTPUT/RESPONSE/AUTH UNIX LIST/AUTH UNIX/LOGIN TYPE (#PCDATA) 


(Unix record only) Login type is "vault" when a vault is defined for the 
record. Note a vault can’t be defined for these records - Cisco and 
Checkpoint Firewall. 


/AUTH_UNIX_LIST_OUTPUT/RESPONSE/AUTH_UNIX_LIST/AUTH_UNIX/DIGITAL_VAULT 


For a Unix record, vault information configured for the record. See Vault 
Information. Note a vault can’t be defined for these records - Cisco and 
Checkpoint Firewall. 


/AUTH_UNIX_LIST_OUTPUT/RESPONSE/AUTH_UNIX_LIST/AUTH_UNIX/ 
USE AGENTLESS TRACKING (#PCDATA) 


1 means that Agentless Tracking option is enabled in the record, and 0 
means thatit's disabled. 


/AUTH UNIX LIST. OUTPUT/RESPONSE/AUTH UNIX LIST/AUTH UNIX/ 
AGENTLESS. TRACKING PATH (#PCDATA) 


The pathname where the host ID file will be stored on each host. (Applies 
only when Agentless Tracking is enabled in the record.) 


/AUTH_UNIX_LIST_OUTPUT/RESPONSE/AUTH_UNIX_LIST/AUTH_UNIX/ 
QUALYS_SHELL (ENABLED, LOG_FACILITY?) 


Information on Qualys Shell and log facility, when Qualys Shell is enabled 
for the subscription. 
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Elements (in bold) for Network SSH records are below. 


XPath 


element specifications / notes 


/AUTH. NETWORK SSH LIST OUTPUT/RESPONSE/AUTH. NETWORK SSH LIST/AUTH. NETWORK. SSH 


(1D, 1 


TITLE, USERNAME, SKIP PASSWORD?, CLEARTEXT PASSWORD?, 


PASSWORD2 INFO, TARGET TYPE?, ((RSA PRIVATE KEY?, 
DSA PRIVATE KEY?) |PRIVATE KEY CERTIFICATE LIST?) , PORT?, IP SET, 


LOGIN TYPE?, DIGITAL VAULT?, NETWORK ID?, CREATED, 

LAST. MODIFIED, COMMENTS?) 
/AUTH NETWORK SSH LIST. OUTPUT/RESPONSE/AUTH. NETWORK SSH LIST/AUTH. NETWORK. SSH/USER 
NAME (4PCDATA) 

The user account to be used for authentication on target hosts. 
/AUTH NETWORK SSH LIST OUTPUT/RESPONSE/AUTH. NETWORK SSH LIST/AUTH. NETWORK. SSH/SKIP 
PASSWORD (#PCDATA) 

Set to 1 if skip password option enabled. 
/AUTH. NETWORK SSH LIST OUTPUT/RESPONSE/AUTH. NETWORK SSH LIST/AUTH. NETWORK SSH/ 
CLEARTEXT PASSWORD (#PCDATA 

A flagindicating whether the Cleartext Password option is enabled in the 

authentication record. The value 1 indicates that the option is enabled. The 

value 0 indicates that the option is disabled. 
/AUTH_NETWORK_SSH_LIST_OUTPUT/RESPONSE/AUTH_NETWORK_SSH_LIST/AUTH_NETWORK_SSH/TAR 
GET_TYPE (#PCDATA 

Allows you to define the type of target for a Network SSH auth record. 
/AUTH_NETWORK_SSH_LIST_OUTPUT/RESPONSE/AUTH_NETWORK_SSH_LIST/AUTH_NETWORK_SSH/ 
PASSWORD2_INFO (DIGITAL_VAULT?) 

attribute: type (basic|vault) "basic" 
/AUTH_NETWORK_SSH_LIST_OUTPUT/RESPONSE/AUTH_NETWORK_SSH_LIST/AUTH_NETWORK_SSH/RSA_ 
ERIVATESK EN 

RSA private key. 
/AUTH_NETWORK_SSH_LIST_OUTPUT/RESPONSE/AUTH_NETWORK_SSH_LIST/AUTH_NETWORK_SSH/DSA_ 
PRIVATE KEY 

DSA private key. 
/AUTH. NETWORK SSH LIST OUTPUT/RESPONSE/AUTH. NETWORK SSH LIST/AUTH. NETWORK SSH/ 
PRIVATE KEY CERTIFICATE LIST (PRIVATE KEY CERTIFICATE)* 
/AUTH. NETWORK SSH LIST OUTPUT/RESPONSE/AUTH. NETWORK SSH LIST/AUTH. NETWORK SSH/ 
PRIVATE KEY CERTIFICATE LIST/PRIVATE. KEY CERTIFICATE/ 
(ID, PRIVATE, KEY INFO, PASSPHRASE INFO, CERTIFICATE?)+ 
/AUTH. NETWORK SSH LIST OUTPUT/RESPONSE/AUTH. NETWORK SSH LIST/AUTH. NETWORK SSH/ 
PRIVATE. KEY CERTIFICATE LIST/PRIVATE. KEY CERTIFICATE/PRIVATE. KEY INFO 
(PRIVATE. KEYIDIGITAL VAULT) 

attribute: type (basic|vault) "basic" 
/AUTH NETWORK SSH LIST OUTPUT/RESPONSE/AUTH NETWORK SSH LIST/AUTH. NETWORK. SSH/ 
PRIVATE KEY CERTIFICATE. LIST/PRIVATE. KEY CERTIFICATE/PRIVATE. KEY INFO/PRIVATE. KEY 

attribute: type (rsaldsalecdsajed25519) 
/AUTH_NETWORK_SSH_LIST_OUTPUT/RESPONSE/AUTH_NETWORK_SSH_LIST/AUTH_NETWORK_SSH/ 
PRIVATE_KEY_CERTIFICATE_LIST/PRIVATE_KEY_CERTIFICATE/PASSPHRASE_INFO 
(PRIVATE_KEY|DIGITAL_VAULT) 

attribute: type (basic|vault) "basic" 
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XPath element specifications / notes 
/AUTH NETWORK SSH LIST OUTPUT/RESPONSE/AUTH NETWORK SSH LIST/AUTH. NETWORK. SSH/ 
PRIVATE KEY CERTIFICATE LIST/PRIVATE,. KEY CERTIFICATE/CERTIFICATE 

attribute: type (x.509|openssh) 
/AUTH_NETWORK_SSH_LIST_OUTPUT/RESPONSE/AUTH_NETWORK_SSH_LIST/AUTH_NETWORK_SSH/POR 
T (#PCDATA) 

A list of custom ports defined for compliance scanning (authentication and 

compliance assessment). 
/AUTH_NETWORK_SSH_LIST_OUTPUT/RESPONSE/AUTH_NETWORK_SSH_LIST/AUTH_NETWORK_SSH/LOGI 
N_TYPE (#PCDATA) 

Login type is "vault" when a vault is defined for the record. 
/AUTH_NETWORK_SSH_LIST_OUTPUT/RESPONSE/AUTH_NETWORK_SSH_LIST/AUTH_NETWORK_SSH/DIGI 
TAL_VAULT 

Vault information configured for the record. 


Windows Response 


Windows-specific elements (in bold) are described below. 


XPath 


element specifications / notes 


/AUTH_WINDOWS_LIST_OUTPUT/RESPONSE/AUTH_WINDOWS_LIST/AUTH_WIN 
(ID, TITLE, USERNAME, NTLM?, NILM V2?, KERBERO 


DOWS 
S?, WINDOWS DOMAIN?, 


WINDOWS AD DOMAIN?, WINDOWS AD TRUST?, IP SET?, TAGS?, LOGIN TYPE, 
DIGITAL VAULT, NETWORK. ID?, CREATED, LAST. MODIFIED, 
COMMENTS?, USE AGENTLESS TRACKING?, MINIMUM SMB VERSION?, 
REQUIRE SMB SIGNING?) 


/AUTH_WINDOWS_LIST_OUTPUT/RESPONSE/AUTH_WINDOWS_LIST/AUTH_WINDOWS 
(USERNAME (#PCDATA) 

The user account to be used for authentication on target hosts. 
/AUTH_WINDOWS_LIST_OUTPUT/RESPONSE/AUTH_WINDOWS_LIST/AUTH_WINDOWS/ 


NTLM (#PCDATA) 


A flag indica 


ting whether the NT 


LM protocol is enabled in the record. 1 


means NTLM is enabled, 0 means it’s not enabled. 
/AUTH_WINDOWS_LIST_OUTPUT/RESPONSE/AUTH_WINDOWS_LIST/AUTH_WINDOWS/ 
NTLM_V2 (#PCDATA) 

A flagindicating whether the NTLM v2 protocol is enabled in the record. 1 


means NTLM v2 is enabled, 0 mean 


s it’s not enabled. 


/AUTH. WINDOWS. LIST. OUTPUT/RESPON 
KERBEROS (4PCDATA) 


A flagindica 
means Kerberos is enab 


SE/AUTH. WIN 


DOWS _ 


ting whether the Kerberos p 


ST/AUTH_WINDOWS/ 


otocol is enabled in the record. 1 


ed, 0 means it’s not enabled. 


/AUTH_WINDOWS_LIST_OUTPUT/RESPONSE/AUTH_WINDOWS_LIST/AUTH_WINDOWS/ 
WINDOWS DOMAIN  (#PCDATA) 

A Windows domain name appears when a NetBIOS domain type is selected. 
/AUTH. WINDOWS LIST. OUTPUT/RESPONSE/AUTH. WINDOWS LIST/AUTH. WINDOWS/ 


WINDOWS AD DOMAIN (#PCDATA) 


An Active Directory domain name, specified as an FODN name, appears 
when the Active Directory domai 


n type is selected. 
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XPath element specifications / notes 


/AUTH. WINDOWS LIST. OUTPUT/RESPONSE/AUTH. WINDOWS. LIST/AUTH. WINDOWS/ 
WINDOWS AD TRUST (#PCDATA) 


A flagindicating whether the “Follow trust relationships” option is selected 
for an Active Directory domain. The value 1 indicates the “Follow trust 
relationships” option is enabled. The value 0 indicates the “Follow trust 
relationships” option is not enabled. 


/AUTH. WINDOWS LIST. OUTPUT/RESPONSE/AUTH. WINDOWS LIST/AUTH. WINDOWS/ 
LOGIN TYPE (4PCDATA) 


Login type is "vault" when a vault is defined for the record. 


/AUTH. WINDOWS LIST. OUTPUT/RESPONSE/AUTH. WINDOWS. LIST/AU WINDOWS/ 
DIGITAL VAULT 


Vault information, when a vault is defined for the record. See Vault 
Information. 


/AUTH_WINDOWS_LIST_OUTPUT/RESPONSE/AUTH_WINDOWS_LIST/AUTH_WINDOWS/ 
MINIMUM_SMB_SIGNING (#PCDATA) 


The minimum SMB version required or authentication. Valid value is: 1, 
2.0.2, 2.1, 3.0, 3.0.2, 3.1.1, or “” (empty string means no version set). 


/AUTH_WINDOWS_LIST_OUTPUT/RESPONSE/AUTH_WINDOWS_LIST/AUTH_WINDOWS/ 
REQUIRE_SMB_SIGNING (#PCDATA) 


A flag indicating whether SMB signing is required for Windows 
authentication. 1 means SMB signing is required, and 0 means it’s not 
required. 


Oracle Response 


Oracle-specific elements (in bold) are described below. 


XPath element specifications / notes 
/AUTH_ORACLE_LIST_OUTPUT/RESPONSE/AUTH_ORACLE_LIST/AUTH_ORACLE 


ID, TITLE, USERNAME, (SID|SERVICENAME) ?, PORT?, IP_SET?, 

PC ONLY?, IS CDB?, WINDOWS OS CHECKS, WINDOWS OS OPTIONS?, 
UNIX OPATCH CHECKS, UNIX OS CHECKS, UNIX OS OPTIONS?, 
NETWORK. ID?, CREATED, LAST. MODIFIED, IS SYSTEM CREATED?, 

IS ACTIVE?, IS TEMPLATE?, TEMPLATE?, COMMENTS?) 


/AUTH. ORACLE LIST. OUTPUT/RESPONSE/AUTH. ORACLE LIST/AUTH. ORACLE/ 
USERNAME (4PCDATA) 


[he user account to be used for authentication on target hosts. 


/AUTH. ORACLE LIST. OUTPUT/RESPONSE/AUTH. ORACLE LIST/AUTH. ORACLE/ 
SID (4PCDATA) 


[he Oracle System ID (SID) for the database instance to be authenticated 
to. This element appears only when a SID is defined for the Oracle record. 


/AUTH_ORACLE_LIST_OUTPUT/RESPONSE/AUTH_ORACLE_LIST/AUTH_ORACLE/ 
SERVICENAME (#PCDATA) 


[he Oracle service name for the database instance to be authenticated to. 
This element appears only when a service name is defined for the Oracle 
record. 


/AUTH_ORACLE_LIST_OUTPUT/RESPONSE/AUTH_ORACLE_LIST/AUTH_ORACLE/PORT (#PCDATA) 


[he port number that the database instance is running on, if specified. 
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element specifications / notes 


/RESPONSE/AUTH. ORACLE LIST/AU ORACLE/PC ONLY (#PCDATA) 


The value 1 indicates that the pc only=1 parameter is specified for this 
record and this record is used for compliance scans only. 


/AUTH. ORACLE LIST. OUTPU 


/RESPONSE/AUTH_ORACLE_LIST/AU ORACLE/IS CDB (4PCDATA) 


The value 1 indicates that the IS CDB option is enabled for the record. This 
means the Oracle database is a Multitenant Container Database. 


/AUTH ORAGLE LIST. OUTPU 
WINDOWS OS CHECKS (PC 


u 
/RESPONSE/AUTH_ORACLE_LIST/AUTH_ORACLE/ 
DATA 

The value 1 indicates the option to perform Windows OS-level compliance 
checks is enabled for the record. 


/AUTH_ORACLE_LIST_OUTPU 
WINDOWS_OS_OPTIONS 


/RESPONSE/AUTH_ORACLE_LIST/AUTH_ORACLE/ 


WIN_ORA_HOME, WIN ORA HOME PATH, WIN_INIT_ORA_PATH, 
WIN SPFILE ORA PATH, WIN LISTENER. ORA PATH, 
WIN. SOLNET. ORA PATH, WIN. TNSNAMES. ORA PATH) 


Values for Windows parameters used to perform OS-level compliance 
checks. 


/AUTH ORACLE LIST. OUTPUT 
UNIX OPATCH CHECKS (PC 


F/RESPONSE/AUTH. ORACLE LIST/AUTH. ORACLE/ 
DATA 


The value 1 indicates the option to perform Unix OPatch compliance checks 
is enabled for the record. 


/AUTH_ORACLE_LIST_OUTPU 
UNIX_OS_CHECKS (#PCDATA 


/RESPONSE/AUTH_ORACLE_LIST/AUTH_ORACLE/ 


The value 1 indicates the option to perform Unix OS-level compliance 
checks is enabled for the record. 


/AUTH_ORACLE_LIST_OUTPU 
UNIX_OS_OPTIONS 


/RESPONSE/AUTH_ORACLE_LIST/AUTH_ORACLE/ 


UNIX_ORA_HOME_PATH, UNIX INIT ORA PATH, UNIX SPFILE ORA PATH, 
UNIX LISTENER ORA PATH, UNIX SOLNET. ORA PATH, 


UNIX. TNSNAMES. ORA PATH, UNIX INVPTRLOC. PATH) 


Values for Unix parameters used to perform OS-level compliance checks. 


/AUTH ORACLE LIST OUTPUT/RESPONSE/AUTH. ORACLE LIST/AUTH. ORACLE/IS. SYSTEM. CREATED 


(#PCDATA) 


[he value 1 indicates that this record was system created. A value of 0 
indicates that it’s user created. 


/AUTH_ORACLE_LIST_OUTPU 


/RESPONSE/AUTH. ORACLE LIST/AU ORACLE/IS ACTIVE (#PCDATA) 


[he value 1 indicates that this record is active. A value of 0 indicates that it 
is inactive. 


/AUTH ORAGLE LIST OUTPUT/RESPONSE/AUTH. ORACLE LIST/AU ORACLE/IS TEMPLATE (4PCDATA) 


The value 1 indicates that this record is an Oracle system record template. 


/AUTH_ 


O 


RAGE: 


Wn 


_OUTPUT/RESPONSE/AUTH_ORACLE_L 


T/AU ORACLE/TEMPLATE (ID, TITLE) 


h 

A value of 0 indicates that this is a regular Oracle record. 
5 
S 


/AUTH 


O 
S 
ay 
E 

mi 
ly 

“n 


_OUTPU 


/RESPONSE/AUTH_ORACLE_L 


/AUTH ORACLE/TEMPLATE/ID — (4PCDATA) 


The ID ofthe Oracle system record template associated with a system 
created Oracle record. 


/AUTH. ORACLE LIST. OUTPU 
(4PCDATA) 


/RESPONSE/AUTH. ORACLE LIST/AUTH. ORACLE/TEMPLATE/TITLE 
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XPath element specifications / notes 


The title of the Oracle system record template associated with a system 
created Oracle record. 


SNMP Response 


SNMP-specific elements (in bold) are described below. 


XPath element specifications / notes 
/AUTH. SNMP LIST OUTPUT/RESPONSE/AUTH. SNMP LIST/AUTH. SNMP 


ID, TITLE, USERNAME? , AUTH ALG?, PRIV ALG?, SEC ENG?, 
CONTEXT ENG?, CONTEXT?, COMMUNITY STRINGS?,VERSION, IP. SET, 
NETWORK ID?, CREATED, LAST. MODIFIED, COMMENTS?) 


/AUTH. SNMP LIST OUTPUT/RESPONSE/AUTH. SNMP LIST/AUTH. SNMP/USERNAME (#PCDATA) 


SNMPv3 only) The user account to be used for authentication to target 
hosts. 


/AUTH. SNMP LIST OUTPUT/RESPONSE/AUTH. SNMP LIST/AUTH. SNMP/AUTH. ALG (#PCDATA) 
(SNMPv3 only) The authentication algorithm to be used: SHA1 or MDS. 
/AUTH_SNMP_LIST_OUTPUT/RESPONSE/AUTH_SNMP_LIST/AUTH_SNMP/PRIV_ALG (#PCDATA) 

(SNMPv3 only) The algorithm to be used for privacy: DES or AES. 
/AUTH_SNMP_LIST_OUTPUT/RESPONSE/AUTH_SNMP_LIST/AUTH_SNMP/SEC_ENG (#PCDATA) 

SNMPv3 only) The security engine ID. 


/AUTH_SNMP_LIST_OUTPUT/RESPONSE/AUTH_SNMP_LIST/AUTH_SNMP/CONTEXT_ENG (#PCDATA) 


(SNMPv3 only) The context engine ID. 
/AUTH_SNMP_LIST_OUTPUT/RESPONSE/AUTH_SNMP_LIST/AUTH_SNMP/CONTEXT (#PCDATA) 
SNMPv3 only) The context name. 


/AUTH. SNMP LIST OUTPUT/RESPONSE/AUTH. SNMP LIST/AUTH. SNMP/ 
COMMUNITY STRINGS (#PCDATA 


SNMPv1 or SNMPv2c only) User-provided SNMP community strings to be 
used for authentication to target hosts. 


/AUTH_SNMP_LIST_OUTPUT/RESPONSE/AUTH_SNMP_LIST/AUTH_SNMP/VERSION (#PCDATA) 
The SNMP protocol version: v1 (for SNMPv1), v2 (fSNMPv2c) or v3 (SNMPv3). 


MS SOL Response 
MS SQL-specific elements (in bold) are described below. 


XPath element specifications / notes 
/AUTH_MS_SQL_LIST_OUTPUT/RESPONSE/AUTH_MS_SQL_LIST/AUTH_MS_SQL 
(ID, TITLE, USERNAME, NTLM v1?, NTLM V2?, KERBEROS?, (INSTANCE | 
AUTO_DISCOVER_INSTANCES), (DATABASE | 
AUTO DISCOVER DATABASES) , (PORT | AUTO DISCOVER PORTS), 
DB LOCAL, AUTH OS TYPE?, UNIX CONF PATH?, UNIX INSTA PATH?, 
WINDOWS DOMAIN?, (IP SETIMEMBER DOMAIN), NETWORK. ID?, CREATED, 
LAST. MODIFIED, COMMENTS?) 


/AUTH MS SOL LIST. OUTPUT/RESPONSE/AUTH. MS SOL LIST/AUTH. MS SOL/USERNAME (#PCDATA) 
The user account to be used for authentication to target hosts. 
/AUTH MS SOL LIST. OUTPUT/RESPONSE/AUTH MS SOL LIST/AUTH. MS SOL/NTLM. v1 (4PCDATA) 
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XPath element specifications / notes 
A flag indicating whether the NTLM protocol is enabled in the record. 1 
means NTLM is enabled, 0 means it's not enabled. 
/AUTH MS SOL LIST. OUTPUT/RESPONSE/AUTH. MS SOL LIST/AUTH MS SOL/NTLM V2 (#PCDATA) 
A flagindicating whether the NTLM v2 protocol is enabled in the record. 1 
means NTLM v2 is enabled, 0 means it's not enabled. 
/AUTH MS SOL LIST. OUTPUT/RESPONSE/AUTH. MS SOL LIST/AUTH MS SOL/KERBEROS (#PCDATA) 
A flag indicating whether the Kerberos protocol is enabled in the record. 1 
means Kerberos is enabled, 0 means it’s not enabled. 
/AUTH_MS_SQL_LIST_OUTPUT/RESPONSE/AUTH_MS_SQL_LIST/AUTH_MS_SQL/ 
INSTANCE|AUTO_DISCOVER_INSTANCES (#PCDATA) 
A database instance or AUTO_DISCOVER_INSTANCES=1 if instances are 
auto-discovered. 
/AUTH_MS_SQL_LIST_OUTPUT/RESPONSE/AUTH_MS_SQL_LIST/AUTH_MS_SQL/ 
DATABASE|AUTO_DISCOVER_DATABASES (#PCDATA) 
A database name or AUTO_DISCOVER_DATABASES=1 if database names are 
auto-discovered. 
/AUTH_MS_SQL_LIST_OUTPUT/RESPONSE/AUTH_MS_SQL_LIST/AUTH_MS_SQL/ 
PORT |AUTO_DISCOVER_PORTS (#PCDATA) 
Port numbers or AUTO_DISSCOVER_PORTS=1 if ports are auto-discovered. 
/AUTH_MS_SQL_LIST_OUTPUT/RESPONSE/AUTH_MS_SQL_LIST/AUTH_MS_SQL/ 
DB_LOCAL (#PCDATA) 
A flag indicating the authentication type. Set to 1 when login credentials 
are for a MS SQL Server database account. Set to 0 when login credentials 
are for a Microsoft Windows operating system account that is associated 
with a MS SQL Server database account. 
/AUTH_MS_SQL_LIST_OUTPUT/RESPONSE/AUTH_MS_SQL_LIST/AUTH_MS_SQL/ 


AUTH_OS_TYPE (#PCDATA) 


rhe authentica 


tion OS type selected in the record: windows or unix. 


/AUTH_MS_SQL_LIST_OU 
UNIX_CONF_PATH (#PCDATA) 


PUT/RESPONSE/AUT 


FH MS SOL LIST/A 


in the record. 


UTH MS SOL/ 


[he path to the MS SOL Server configuration file on Unix hosts, as defined 


/AUTH_MS_SQL_LIST_OUTPUT/RESPONSE/AUT 


UNIX_INSTA_PATH (#PCDATA 


TH_MS_SQL_LIST/AUTH_MS_SQL/ 


The path to the MS SQL Server instance directory on Unix hosts, as defined 


in the record. 


/AUTH_MS_SQL_LIS 
WINDOWS. DOMAIN (#PCDATA) 


 OUTPUT/RESPONSE/AU'I 


FH MS SOL LIST 


The domain name where the 


credentials are for a Microsoft Windows operating system account. 


F/AUTH. MS SOL/ 


login credentials are stored, when the login 


/AUTH.MS. SOL LIST 
MEMBER DOMAIN (#PCDATA) 


T OUTPUT/RESPONSE/AU'I 


FH MS SOL LIST 


F/AUTH. MS SOL/ 


The domain name to auto discover all MS SOL servers for the 


authentication record. 
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Azure MS SOL Response 
Azure MS SQL-specific elements (in bold) are described below. 


XPath element specifications / notes 
/AUTH_AZURE_MS_SQL_LIST_OUTPUT/RESPONSE/AUTH_AZURE_MS_SQL_LIST/AUTH_AZURE_MS_SQL 
(ID, TITLE, PROVIDER_NAME, USERNAME, INSTANCE, (DATABASE | 


AUTO DISCOVER DATABASES), PORT, IP_SET, LOGIN_TYPE?, 
DIGITAL_VAULT?, NETWORK_ID?, CREATED, LAST_MODIFIED, 


COMMENTS?) 
/AUTH_AZURE_MS_SQL_LIST_OUTPUT/RESPONSE/AUTH_AZURE_MS_SQL_LIST/AUTH_AZURE_MS_SQL/PRO 
VIDER_NAME (#PCDATA) 

Name of the cloud service provider. The only value supported is azure. 
/AUTH_AZURE_MS_SQL_LIST_OUTPUT/RESPONSE/AUTH_AZURE_MS_SQL_LIST/AUTH_AZURE_MS_SQL/USE 
RNAME (#PCDATA) 

The user account to be used for authentication to target hosts. 
/AUTH_AZURE_MS_SQL_LIST_OUTPUT/RESPONSE/AUTH_AZURE_MS_SQL_LIST/AUTH_AZURE_MS_SQL/Inst 


ance (#PCDATA) 


.The name of the database instance to be scanned. This is the instance 


name assigned to the TCP/IP port. 


/AUTH_AZURE_MS_SQL_LIST_OUTPUT/RESPONSE/AUTH_AZURE_MS_SQL_LIST/AUTH_AZURE_MS_SQL/ 
DATABASE|AUTO_DISCOVER_DATABASES (#PCDATA) 


A database name or AUTO_DISCOVER_DATABASES=1 if database names are 
auto-discovered. 


/AUTH_AZURE_MS_SQL_LIST_OUTPUT/RESPONSE/AUTH_AZURE_MS_SQL_LIST/AUTH_AZURE_MS_SQL/ 
PORT (4PCDATA) 


The port number assigned to the database instance to be scanned. 


Neo4j Response 


Neo4j-specific elements (in bold) are described below. 


XPath element specifications / notes 
/AUTH_NEO4J_LIST_OUTPUT/RESPONSE/AUTH_NEO4J_LIST/AUTH_NEO4J 
(ID, TITLE, USERNAME ,DATABASE?, PORT, SSL VERIFY?, HOSTS?,IP_SET?, 
UNIX CONF PATH?, UNIX BASE PATH’, VERSION’, AUTO PATH?, 
LOGIN TYPE?, DIGITAL VAULT?, NETWORK ID?, CREATED, 
LAST. MODIFIED, COMMENTS? 


/AUTH_NEO4J_LIST_OUTPUT/RESPONSE/AUTH_NEO4J_LIST/AU NEO4J/ 


[he user account to be used for authentication on target hosts. 
/AUTH_NEO4J_LIST_OUTPUT/RESPONSE/AUTH_NEO4J_LIST/AU EO4J/DATABASE (#PCDATA) 

The database name of the database to be scanned. 
/AUTH_NEO4J_LIST_OUTPUT/RESPONSE/AUTH_NEO4J_LIST/AUTH_NEO4J/PORT (#PCDATA) 

[he port number that the database is running on. 
/AUTH_NEO4J_LIST_OUTPUT/RESPONSE/AUTH_NEO4J_LIST/AU NEO4J/UNIX_BASE_PATH (#PCDATA) 


The base path for Neo4j on your Unix hosts. 
/AUTH_NEO4J_LIST_OUTPUT/RESPONSE/AUTH_NEO4J_LIST/AU NEO4J/UNIX_CONF_PATH (#PCDATA) 


The path to the Neo4j configuration file on your Unix hosts. 
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XPath element specifications / notes 
/AUTH_NEO4J_LIST_OUTPUT/RESPONSE/AUTH_NEO4J_LIST/AUTH_NEO4J/VERSION (#PCDATA) 


The Neo4j version. Only Neo4j 3.x version is supported at this time. 
/AUTH_NEO4J_LIST_OUTPUT/RESPONSE/AUTH_NEO4J_LIST/AUTH_NEO4J/NEO4J_AUTO_PATH (#PCDATA) 


The value 1 indicates that auto discovery is enabled in the record for auto 
discovering the base and configuration paths on Unix hosts. The value 0 
indicates the option is disabled. 


Nginx Response 
Nnginx-specific elements (in bold) are described below. 


XPath element specifications / notes 
/AUTH_NGINX_LIST_OUTPUT/RESPONSE/AUTH_NGINX_LIST/AUTH_NGINX 


(ID, TITLE,IP_SET?, UNIX_BIN_PATH?, UNIX_CONF_PATH?, 
UNIX PREFIX PATH?, COMMENTS?) 


/AUTH NGINX LIST. OUTPUT/RESPONSE/AUTH. NGINX LIST/AUTH. NGINX/UNIX BIN PATH (#PCDATA) 
The absolute path of the Nginx binary file location your Unix hosts. 
/AUTH NGINX LIST. OUTPUT/RESPONSE/AUTH. NGINX LIST/AUTH. NGINX/UNIX. CONF. PATH (#PCDATA) 
The path to the Nginx configuration file on your Unix hosts. 
/AUTH. NGINX LIST. OUTPUT/RESPONSE/AUTH. NGINX LIST/AUTH. NGINX/UNIX PREFIX PATH (#PCDATA) 


The path to the Nginx base directory on your Unix hosts. 


IBM DB2 Response 
IBM DB2-specific elements (in bold) are described below. 


XPath element specifications / notes 
/AUTH IBM DB2 LIST OUTPUT/RESPONSE/AUTH IBM DB2 LIST/AUTH IBM. DB2 


(ID, TITLE, USERNAME, DATABASE, PORT, IP SET, PC ONLY?, 
LOGIN TYPE?, DIGITAL VAULT?, NETWORK ID?, CREATED, 
LAST. MODIFIED, COMMENTS? 


/AUTH IBM DB2 LIST. OUTPUT/RESPONSE/AUTH IBM. DB2 LIST/AU BM. DB2/ 


[he user account to be used for authentication on target hosts. 
/AUTH_IBM_DB2_LIST_OUTPUT/RESPONSE/AUTH_IBM_DB2_LIST/AU BM_DB2/DATABASE (#PCDATA) 
The database name of the database to be scanned. 
/AUTH_IBM_DB2_LIST_OUTPUT/RESPONSE/AUTH_IBM_DB2_LIST/AU BM_DB2/PORT (#PCDATA) 


J 


[he port number that the database is running on. 
/AUTH_IBM_DB2_LIST_OUTPUT/RESPONSE/AUTH_IBM_DB2_LIST/AUTH_IBM_DB2/PC_ONLY (#PCDATA) 


[he value 1 indicates the record is defined for compliance scans only. 


VMware Response 
VMware-specific elements (in bold) are described below. 


XPath element specifications / notes 
/AUTH_VMWARE_LIST_OUTPUT/RESPONSE/AUTH_VMWARE_LIST/AUTH_VMWARE 
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XPath element specifications / notes 


(ID, TITLE, USERNAME?, PORT, SSL VERIFY?, HOSTS?, IP SET, 
LOGIN TYPE?, DISCONNECTED ESXI?, DIGITAL VAULT?,NETWORK ID?, 
CREATED, LAST. MODIFIED, COMMENTS?) 


/AUTH. VMWARE LIST. OUTPUT/RESPONSE/AUTH. VMWARE. LIST/AUTH. VMWARE/ 
USERNAME (4PCDATA) 


The user account to be used for authentication on target hosts. This is an 
ESXi account or a Windows domain account, in which case the formatis 
domain\user. 


/AUTH_VMWARE_LIST_OUTPUT/RESPONSE/AUTH_VMWARE_LIST/AUTH_VMWARE/ 
PORT (*PCDATA) 


The port where the ESXi web services are running. 


/AUTH_VMWARE_LIST_OUTPUT/RESPONSE/AUTH_VMWARE_LIST/AUTH_VMWARE/ 
SSL_VERIFY (4PCDATA) 


A flag indicating the SSL validation setting: "all" means complete SSL 
validation is selected, "skip" means the "Skip Verify” option is selected (host 
SSL certificate is self-signed or uses an SSL certificate signed by a custom 
root CA), "none" means no SSL validation is selected. 


/AUTH_VMWARE_LIST_OUTPUT/RESPONSE/AUTH_VMWARE_LIST/AUTH_VMWARE/ 
HOSTS (*PCDATA) 


The list of FODNs for hosts that correspond to all ESXi host IP addresses on 
which a custom SSL certificate signed by a trusted root CA is installed. 


/AUTH_VMWARE_LIST_OUTPUT/RESPONSE/AUTH_VMWARE_LIST/AUTH_VMWARE/ 
LOGIN_TYPE (*PCDATA) 


Login type is “vault” when a vault is defined for the record or “basic” when a 
vault is not defined. 


/AUTH_VMWARE_LIST_OUTPUT/RESPONSE/AUTH_VMWARE_LIST/AUTH_VMWARE/ 
DISCONNECTED_ESXI (#PCDATA) 


Specify 1 if the ESXi hosts are disconnected and you don't want to send any 
traffic to the ESXi hosts. 


/AUTH_VMWARE_LIST_OUTPUT/RESPONSE/AUTH_VMWARE_LIST/AUTH_VMWARE/ 
DIGITAL_VAULT (4PCDATA 


Vault information, when a vault is defined for the record. See Vault 
Information. 


Apache Response 


Apache-specific elements (in bold) are described below. 


XPath element specifications / notes 
/AUTH_APACHE_LIST_OUTPUT/RESPONSE/AUTH_APACHE_LIST/AUTH_APACHE 


ID, TITLE, IP SET, UNIX CONFIGURATION FILE, UNIX CONTROL COMMAND, 
WINDOWS CONFIGURATION FILE?, WINDOWS CONTROL COMMAND?, 
NETWORK. ID?, CREATED, LAST. MODIFIED, IS SYSTEM CREATED?, 

IS ACTIVE?, COMMENTS?) 


/AUTH APACHE LIST OUTPUT/RESPONSE/AUTH. APACHE LIST/AUTH. APACHE/ 
UNIX CONFIGURATION FILE (#PCDATA) 


The path to the Apache configuration file (valid for Apache Web Server 
record only). 
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cifications / notes 


/AUTH APACHE LIST OUTPUT/RESPONSE/AUTH. APACHE LIST/AUTH. APACHE/ 
UNIX CONTROL COMMAND (#PCDATA) 


The path to the Apache control command (valid for Apache Web Server 


record only). 


/A 
W 


UTH APACHE LIST. OUTPUT/RESPONSE/AUTH 
NDOWS CONFIGURATION FILE (#PCDATA 


The Windows 


Server record 


LIA 


only). 


PACHE_LIST/AUTH_APACHE/ 


path to the Apache configuration file (valid for Apache Web 


/A 
W 


UTH APACHE LIST. OUTPUT/RESPONSE/AUTH 
NDOWS. CONTROL COMMAND (4PCDATA) 


The Windows p 


Server record 


LIA 


only). 


PACHE_LIST/AUTH_APACHE/ 


ath to the Apache control command (valid for Apache Web 


/A 


UNA PACIEN SO UE DE 
IS SYSTEM. CREATED (#PCDATA) 


indicates tha 
record only. 


ESPONSE/AUT 


APACHE LIST/AUTH 


t the record is user crea 


_APACHE/ 


A value of 1 indicates that the record is system created. A value of 0 
ted. Valid for Apache Web Server 


/AUTH_APACHE_LIST_OUTPUT/RESPONSE/AUT 


IS_ACTIVE (#PCDATA) 


_APACHE_LIST/AUTH_APACHE/ 


A value of 1 indicates that the record is active. A value of 0 indicates that 
the record is not active. Valid for Apache Web Server record only. 


IBM WebSphere Response 


IBM WebSphere-specific elements (in bold) are described below. 


XPath 


element spe 


cifications / notes 


/AUTH_IBM_WEBSPHERE_LIST_OUTPUT/RES 


PONSE/AUTH_IBM_WEBSPHE 


RE LIST/AUTH.I 


BM WEBSPH 


ERE 


(ID, TITLE, IP SET, UNIX INSTALLATION DIRECTORY?, UNIX DIR MODE?, 
WINDOWS INSTALLATION DIRECTORY?, NETWORK ID?, C 


LAST. MOD 


HIE 


D, IS SYSTEM CREATED?, 


IS ACTIVE?, COMMENTS? 


REATED, 


/AUTH IBM. WE 


- WEBSPHERE LIST OUTPU 
UNIX_INSTALLATION_ 


/RES 
DIRECTORY (#PCDATA 


The directory 


PONS 


E/AUT 


_IBM_W 


where the 


EBSPH 


WebSphere appli 


Ele ILJU 


cation is inst 


Al 


alled. 


EBSP 


BM W 


ERE/ 


/AUTH. IBM. WE 
UNIX. DIR MOD 


BSPHERE LIST. OUTPU 
E (4PCDATA) 


/RES 


instal 


PONS 


The Unix directory mode setti 
ation direc 


E/AUTH IBM. W 


ng 


tory 


EBSPH 


or server_dir (for server di 


ERE LIST/AUT 


I 


in the record: installation_dir ( 
rectory). 


BM_WEBSP 


for 


ERE/ 


/AUTH_IBM_WE 
WINDOWS. 


BSPHE 


_INSTALLATION D 


RETS (0) 10141107) 


The Windows 


/RESPONS 
IRECTORY (#PCDATA 


E/AUTH_IBM_WEBS 


directory 


ERE_LIST/AUT 


where the WebSphere applicati 


lon 


-IBM W 


EBSP 


is installed. 


ERE/ 


/AUTH IBM. WEBSPHE 
SESMS MENA GREEN 


RE_LIST_OUTPU 
#PCDATA) 


/RESPONS 


[he value 1 ind 
indicates that i 


E/AUT EBS 


_IBM_W 


t's user created. 


ERE. LIST/AUT 
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EBSP 


ERE/I 


icates that this record was system created. A value of 0 


/AUTH IBM. WEBSPHE 
S ACTIVE (4PCDATA) 


e TLS (ONGA 


PUT/RESPONSE/AUTH 


IBM WEBS 


144 


PHERE LIST/AUTH IBM WEBSPHERE/I 


Gualys API (VM, PC) XML/DTD Reference 
Chapter 4 - Scan Authentication XML 


XPath element specifications / notes 


The value 1 indicates that this record is active. A value of 0 indicates that it 
is inactive. 


H 


[omcat Server Response 


Tomcat Server-specific elements (in bold) are described below. 


XPath element specifications / notes 
/AUTH_TOMCAT_LIST_OUTPUT/RESPONSE/AUTH_TOMCAT_LIST/AUTH_TOMCAT 


(ID, TITLE, IP SET, INSTALLATION PATH?, INSTANCE PATH?, 
AUTO DISCOVER INSTANCES?, INSTALLATION PATH WINDOWS?, 
INSTANCE PATH WINDOWS?, SERVICE NAME WINDOWS?, 

IS SYSTEM CREATED?, IS ACTIVE?, NETWORK. ID 2, CREATED, 
LAST. MODIFIED, COMMENTS? 


/AUTH. TOMCAT. LIST OUTPUT/RESPONSE/AUTH. TOMCAT LIST/AU OMCAT/INSTALLATION. PATH 


(4PCDATA) 


The Unix directory where the tomcat server is installed. 


/AUTH_TOMCAT_LIST_OUTPUT/RESPONSE/AUTH_TOMCAT_LIST/AU OMCAT/INSTANCE_PATH 
(#PCDATA) 


The Unix directory where the tomcat server instance(s) are installed, if 
specified. 


/AUTH_TOMCAT_LIST_OUTPUT/RESPONSE/AUTH_TOMCAT_LIST/AUTH_TOMCAT/AUTO_DISCOVER_INSTA 
NCES (4PCDATA) 


The value 1 indicates that the “Auto Discover Instances” option is enabled 
for the record. The value 0 indicates that the option is disabled. 


/AUTH_TOMCAT_LIST_OUTPUT/RESPONSE/AUTH_TOMCAT_LIST/AUTH_TOMCAT/INSTALLATION_PATH_WI 
NDOWS (4PCDATA) 


The Windows directory where the tomcat server is installed. 


/AUTH. TOMCAT. LIST. OUTPUT/RESPONSE/AUTH. TOMCAT. LIST/AU OMCAT/INSTANCE. PATH. WINDO 
WS (4PCDATA) 


[The Windows directory where the tomcat server instance(s) are installed, if 
specified. 
/AUTH_TOMCAT_LIST_OUTPUT/RESPONSE/AUTH_TOMCAT_LIST/AUTH_TOMCAT/SERVICE_NAME_WINDO 
WS (#PCDATA) 


[The Windows service name for the apache tomcat server running as a 
service, if specified. 


HTTP Response 


HTTP-specific elements (in bold) are described below. 


XPath element specifications / notes 
/AUTH_HTTP_LIST_OUTPUT/RESPONSE/AU P_LIST/AU IE 


(ID, TITLE, USERNAME, SSL, (REALM|VHOST),IP_SET?, NETWORK_ID?, 
CREATED, LAST. MODIFIED, COMMENTS?) 


/AUTH HTTP LIST. OUTPUT/RESPONSE/AUT P LIST/AU HTTP/USERNAME (4PCDATA) 


The user name used for authentication. 
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XPath element specifications / notes 
/AUTH HTTP LIST. OUTPUT/RESPONSE/AUTH HTTP LIST/AUTH HTTP/ SSL (#PCDAT 
Aflagindicatingthe SSL setting. 1 means we'll attempt authentication over 
SSL only; 0 means we'll attempt authentication without this restriction. 
/AUTH HTTP LIST. OUTPUT/RESPONSE/AUTH HTTP LIST/AUTH HTTP/REALM (#PCDATA) 
The realm to authenticate against. 
/AUTH HTTP LIST. OUTPUT/RESPONSE/AUTH. HTTP LIST/AUTH HTTP/VHOST (4PCDATA) 
The virtual host to authenticate against. 
Sybase 


Sybase-specific elements (in bold) are described below. 


XPath 


element specifications / notes 


/AUTH HTTP LIST. OUTPUT/RESPONSE/AUTH. SYBASE LIS'I 


[/AUTH_SYBASE 


(ID, TITLE, USERNAME, (DATABASE | AUTO DISCOVER DATABASES), PORT, 
PASSWORD ENCRYPTION?, INSTALLATION DIR?, Ie Sere LOGIN TYPE?, 


DIGITAL VAULT?, NETWORK ID?, C 


REATED, LAST. MODIFIED, 


COMMENTS?) 

/AUTH. SYBASE LIST. OUTPUT/RESPONSE/AUTH. SYBASE LIST/AUTH SYBASE/USERNAME (#PCDATA) 

The user name used for authentication. 
/AUTH_SYBASE_LIST_OUTPUT/RESPONSE/AUTH_SYBASE_LIST/AUTH_SYBASE/DATABASE| 
AUTO_DISCOVER_DATABASES (#PCDATA) 

The name of the Sybase database to authenticate to or 

AUTO_DISCOVER_DATABASES=1 if databses are auto-discovered. 
/AUTH_SYBASE_LIST_OUTPUT/RESPONSE/AUTH_SYBASE_LIST/AUTH_SYBASE/PORT (#PCDATA) 

The port the Sybase database is on. 
/AUTH_SYBASE_LIST_OUTPUT/RESPONSE/AUTH_SYBASE_LIST/AUTH_SYBASE/PASSWORD_ENCRYPTION 
(#PCDATA) 

The flag for password encryption. Set to 1 when password encryption is 

enabled in the Sybase record.When set to 0 (the default), password 

encryption is not enabled. 
/AUTH_SYBASE_LIST_OUTPUT/RESPONSE/AUTH_SYBASE_LIST/AUTH_SYBASE/ 
NSTALLATION DIR (#PCDATA) 
The Sybase database installation directory. 
/AUTH. SYBASE LIST. OUTPUT/RESPONSE/AUTH. SYBASE LIST/AUTH. SYBASE/ 
LOGIN TYPE (#PCDATA) 
Login type is "vault" when a vault is defined for the record. 
/AUTH. SYBASE LIST OUTPUT/RESPONSE/AUTH. SYBASE LIST/AUTH. SYBASE/ 
DIGITAL VAULT/ 
Vault information, when a vault is defined for the record. See Vault 


Information. 


MySOL Response 
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MySQL-specific elements (in bold) are described below. 


XPath element specifications / notes 
/AUTH_HTTP_LIST_OUTPUT/RESPONSE/AUTH_MYSQL_LIST/AUTH_MYSQL 
(ID, TITLE, USERNAME, DATABASE, PORT, HOSTS?, IP_SET?, DIGITAL VAULT?, 


SSL VERIFY, WINDOWS CONF FILE, UNIX CONF FILE, CLIENT CERT?, 
CLIENT KEY?, NETWORK ID?, CREATED, LAST. MODIFIED, COMMENTS?) 


/AUTH HTTP LIST. OUTPUT/RESPONSE/AUTH. MYSOL LIST/AUTH MYSOL/USERNAME (4PCDATA) 


[he user name used for authentication. 
/AUTH_HTTP_LIST_OUTPUT/RESPONSE/AUTH_MYSQL_LIST/AUTH_MYSQL/DATABASE (#PCDATA) 


[he database that will be authenticated to. 

/AUTH_HTTP_LIST_OUTPUT/RESPONSE/AUTH_MYSQL_LIST/AUTH_MYSQL/PORT (#PCDATA) 
The port the database is running on. 
/AUTH_HTTP_LIST_OUTPUT/RESPONSE/AUTH_MYSQL_LIST/AUTH_MYSQL/HOSTS (#PCDATA) 


A list of FQDNs for the hosts that correspond to all host API addresses on 
which a custom SSL certificate signed by a trusted root CA is installed. 


/AUTH HTTP LIST. OUTPUT/RESPONSE/AUTH MYSOL LIST/AUTH MYSOL/IP SET (IP|IP RANGE) 


The IP address(es) the server will log into using the record’s credentials. 
/AUTH HTTP LIST. OUTPUT/RESPONSE/AUTH. MYSOL LIST/AUTH. MYSOL/DIGITAL VAULT 


Vault information, when a vault is defined for the record. 


/AUTH HTTP LIST. OUTPUT/RESPONSE/AUTH. MYSOL LIST/AUTH MYSOL/SSL VERIFY (#PCDATA) 


A flagindicating whether complete SSL certificate validation is enabled. 
The value 1 (enabled) means we'll send a login request after verifying that a 
connection the MySQL server uses SSL, the server SSL certificate is valid 
and matches the scanned host. The value 0 (disabled) means we'll attempt 
authentication with MySOL Servers that do and do not use SSL; in the case 
of SSL the server SSL certificate verification will be skipped. 


/AUTH. HTTP LIST. OUTPUT/RESPONSE/AUTH. MYSOL LIST/AUTH. MYSOL/ 
WINDOWS CONF FILE (#PCDATA) 


The path to the Windows MySQL conf file. 
P LIST OUTPUT/RESPONSE/AUTH. MYSOL LIST/AUTH. MYSOL/ 


The path to the Unix MySQL conf file. 
/AUTH HTTP LIST. OUTPUT/RESPONSE/AUTH. MYSOL LIST/AUTH MYSOL/CLIENT. CERT (4PCDATA) 
PEM-encoded X.509 certificate. 
/AUTH HTTP LIST. OUTPUT/RESPONSE/AUTH MYSOL LIST/AUTH. MYSOL/CLIENT. KEY (#PCDATA) 


PEM-encoded RSA private key. 


MariaDB Response 


MariaDB-specific elements (in bold) are described below. 


XPath element specifications / notes 
/AUTH MARIADB LIST. OUTPUT/RESPONSE/AUTH. MARIADB LIST/AUTH. MARIADB 


(ID, TITLE, USERNAME, DATABASE, PORT, HOSTS?, IP SET?, LOGIN TYPE?, 
DIGITAL VAULT?, SSL VERIFY, WINDOWS CONF FILE, UNIX CONF FILE, 
CLIENT CERT?, CLIENT KEY?, NETWORK. ID?, CREATED, LAST. MODIFIED, 
COMMENTS?) 
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XPath element specifications / notes 
/AUTH MARIADB LIST OUTPUT/RESPONSE/AUTH. MARIADB LIST/AU MARIADB/USERNAME 


[The user name used for authentication. 
/AUTH. MARIADB LIST. OUTPUT/RESPONSE/AUTH. MARIADB LIST/AU MARIADB/DATABASE (#PCDATA) 


The database that will be authenticated to. 
/AUTH_MARIADB_LIST_OUTPUT/RESPONSE/AUTH_MARIADB_LIST/AUTH_MARIADB/PORT (#PCDATA) 


The port the database is running on. 
/AUTH_MARIADB_LIST_OUTPUT/RESPONSE/AUTH_MARIADB_LIST/AUTH_MARIADB/HOSTS (#PCDATA) 
A list of FQDNs for the hosts that correspond to all host IP addresses on 
c 
S 


which a custom SSL certificate signed by a trusted root CA is installed. 


/AUTH_MARIADB_LIST_OUTPUT/RESPONSE/AUTH_MARIADB_LIST/AUTH_MARIADB/LOGIN_TYPE 


Login type is "vault" when a vault is defined for the record. 
/AUTH_MARIADB_LIST_OUTPUT/RESPONSE/AUTH_MARIADB_LIST/AU MARIADB/DIGITAL_VAULT 


DIGITAL VAULT ID, DIGITAL VAULT TYPE, DIGITAL VAULT TITLE, 
VAULT_USERNAME?, VAULT_FOLDER?, VAULT_FILE?, 
VAULT_SECRET_NAME?, VAULT_SYSTEM_NAME?, VAULT_EP_NAME?, 
WAIUILA Jel? da? WANUILIF 122 CONI AVANS SOREA 


VAULT_NS_NAME?, VAULT_ACCOUNT_NAME?, VAULT_SECRET_KV_PATH?, 


VAULT_SECRET_KV_NAME?, VAULT_SECRE ENE) 
Vault information, when a vault is defined for the record. 


/AUTH_MARIADB_LIST_OUTPUT/RESPONSE/AUTH_MARIADB_LIST/AUTH_MARIADB/SSL_VERIFY 
(#PCDATA) 


A flag indicating whether complete SSL certificate validation is enabled. 
The value 1 (enabled) means we'll send a login request after verifying that a 
connection the MariaDB server uses SSL, the server SSL certificate is valid 
and matches the scanned host. The value 0 (disabled) means we'll attempt 
authentication with MariaDB servers that do and do not use SSL; in the 
case of SSL the server SSL certificate verification will be skipped. 


/AUTH_MARIADB_LIST_OUTPUT/RESPONSE/AUTH_MARIADB_LIST/AUTH_MARIADB/ 
WINDOWS_CONF_FILE (#PCDATA) 


The path to the Windows MariaDB conf file. 
LIST_OUTPUT/RESPONSE/AUTH_MARIADB_LIST/AUTH_MARIADB/ 


[he path to the Unix MariaDB conf file. 
/AUTH_MARIADB_LIST_OUTPUT/RESPONSE/AUTH_MARIADB_LIST/AUTH_MARIADB/CLIENT_CERT 


PEM-encoded X.509 certificate. 
/AUTH_MARIADB_LIST_OUTPUT/RESPONSE/AUTH_MARIADB_LIST/AUTH_MARIADB/CLIENT_KEY 


PEM-encoded RSA private key. 


WebLogic Server Response 
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WebLogic Server-specific elements (in bold) are described below. 


4 - Scan Authentication XML 


XPath element specifications / notes 
/AUTH ORACLE WEBLOGIC LIST OUTPUT/RESPONSE/AUTH. ORACLE WEBLOGIC LIST/ 
AUTH_ORACLE_WEBLOGIC 
(ID, TITLE, IP_SET, INSTALLATION_PATH, AUTO DISCOVER, DOMAIN?, 
NETWORK_ID?, CREATED, LAST_MODIFIED, COMMENTS? 
/AUTH_ORACLE_WEBLOGIC_LIST_OUTPUT/RESPONSE/AUTH_ORACLE_WEBLOGIC_LIST/ 
AUTH ORACLE WEBLOGIC/INSTALLATION PATH (#PCDATA) 
The directory where the Oracle WebLogic Server is installed. 
/AUTH ORACLE WEBLOGIC LIST OUTPUT/RESPONSE/AUTH. ORACLE WEBLOGIC LIST/ 
AUTH ORACLE WEBLOGIC/AUTO DISCOVER (#PCDATA) 
A flagindicating whether auto-discovery of domains is enabled. 1 means 
auto-discovery is enabled, and 0 means it’s not enabled and a single 
domain is defined for the record. 
/AUTH_ORACLE_WEBLOGIC_LIST_OUTPUT/RESPONSE/AUTH_ORACLE_WEBLOGIC_LIST/ 
AUTH ORACLE WEBLOGIC/DOMAIN (#PCDATA) 


A single Oracle WebLogic Server domain name. 


Docker 
Docker-specific elements (in bold) are described below. 
XPath element specifications / notes 
/AUTH. HTTP LIST OUTPUT/RESPONSE/AUTH DOCKER. LIST/AUTH. DOCKER 
(ID, TITLE, DAEMON CONFIGURATION FILE?, DOCKER COMMAND?, IP. SET, 
NETWORK ID?, CREATED, LAST. MODIFIED, COMMENTS?) 
/AUTH. HTTP LIST. OUTPUT/RESPONSE/AUTH. DOCKER. LIST/AUTH. DOCKER/ 
DAEMON. CONFIGURATION FILE (#PCDATA) 
Location of the configuration file for the docker daemon. 
/AUTH. HTTP LIST. OUTPUT/RESPONSE/AUTH. DOCKER. LIST/AUTH. DOCKER/ 
DOCKER COMMAND (#PCDATA) 


The docker command to connect to a local docke 


T daemon. 


PostgreSOL Response 


PostgreSQL-specific elements (in bold) are described below. 


XPath element specifications / notes 
/AUTH_HTTP_LIST_OUTPUT/RESPONSE/AUTH_POSTGRESQL_LIST/AUTH_POSTGRESQL 
(ID, TITLE, USERNAME, DATABASE, PORT, SSL_VERIFY, HOSTS?, IP_SET?, 
LOGIN TYPE?, DIGITAL VAULT?, WIN CONF FILE?, UNIX_CONF FILE?, 
PRIVATE KEY CERTIFICATE LIST?, NETWORK ID?, CREATED, 
LAST. MODIFIED, COMMENTS?) 
/AUTH. HTTP LIST. OUTPUT/RESPONSE/AUTH. POSTGRESOL LIST/AUTH. POSTGRESOL/ 
USERNAME (#PCDATA) 
The user name used for authentication. 
/AUTH. HTTP LIST. OUTPUT/RESPONSE/AUTH. POSTGRESOL LIST/AUTH. POSTGRESOL/ 


DATABASE (4PCDATA) 


The database instance you want to authenticate to. 
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XPath element specifications / notes 
/AUTH. HTTP LIST. OUTPUT/RESPONSE/AUTH. POSTGRESOL. LIST/AUTH. POSTGRESOL/ 
PORT (#PCDATA) 

The port where the PostgreSOL database is running. 
/AUTH HTTP LIST. OUTPUT/RESPONSE/AUTH. POSTGRESOL LIST/AUTH. POSTGRESOL/ 
SSL VERIFY (#PCDATA) 

1 means SSL verification is enabled; 0 means itis not enabled. 
/AUTH. HTTP LIST. OUTPUT/RESPONSE/AUTH. POSTGRESOL LIST/AUTH. POSTGRESOL/ 
HOSTS (#PCDATA 

A list of FQDNs for all host IP addresses on which a custom SSL certificate 

signed by a trusted root CA is installed. 
/AUTH_HTTP_LIST_OUTPUT/RESPONSE/AUTH_POSTGRESQL_LIST/AUTH_POSTGRESQL/ 
LOGIN_TYPE (#PCDATA) 

Login type is "vault" when a vault is defined for the record. 
/AUTH_HTTP_LIST_OUTPUT/RESPONSE/AUTH_POSTGRESQL_LIST/AUTH_POSTGRESQL/ 
DIGITAL_VAULT 

(DIGITAL_VAULT_ID, DIGITAL_VAULT_TYPE, DIGITAL_VAULT_TITLE, 

VAULT_USERNAME?, VAULT_FOLDER?, VAULT_FILE?, 

VAULT_SECRET_NAME?, VAULT_SYSTEM_NAME?, VAULT_EP_NAME?, 

WAIE 1312 ar, WANUILI Je}? (GOING, Vuka NIS: 1002182, 

VAULT. NS NAME?, VAULT ACCOUNT. NAME?, VAULT. SECRET KV PATR?, 

VAULT. SECRET. KV. NAME?, VAULT. SECRET. KV. KEY?) 

Vault information, when a vault is defined for the record. 
/AUTH_HTTP_LIST_OUTPUT/RESPONSE/AUTH_POSTGRESQL_LIST/AUTH_POSTGRESQL/ 
WIN_CONF_FILE (#PCDATA) 

The full path to the PostgreSQL configuration file on your Window assets (IP 

addresses). 
/AUTH_HTTP_LIST_OUTPUT/RESPONSE/AUTH_POSTGRESQL_LIST/AUTH_POSTGRESQL/ 
UNIX_CONF_FILE (#PCDATA) 

The full path to the PostgreSQL configuration file on your Unix assets (IP 

addresses). 
/AUTH_HTTP_LIST_OUTPUT/RESPONSE/AUTH_POSTGRESQL_LIST/AUTH_POSTGRESQL/ 
PRIVATE_KEY_CE EAS (RIV Aui SE ven G RIBA lie a 
/AUTH_HTTP_LIST_OUTPUT/RESPONSE/AUTH_POSTGRESQL_LIST/AUTH_POSTGRESQL/ 
PRIVATE_KEY_CE FICATE_LIST/PRIVATE_KEY_CERTIFICATE 

(ID, PRIVATE_KEY_INFO, PASSPHRASE_INFO, CERTIFICATE?) 
/AUTH_HTTP_LIST_OUTPUT/RESPONSE/AUTH_POSTGRESQL_LIST/AUTH_POSTGRESQL/ 
PRIVATE_KEY_CERTIFICATE_LIST/PRIVATE_KEY_CERTIFICATE/ID 

The private certificate ID. 
/AUTH_HTTP_LIST_OUTPUT/RESPONSE/AUTH_POSTGRESQL_LIST/AUTH_POSTGRESQL/ 
PRIVATE_KEY_CERTIFICATE_LIST/PRIVATE_KEY_CERTIFICATE/PRIVATE_KEY_INFO 

(PRIVATE_KEY|DIGITAL_VAULT) 

attribute: type (basic|vault) "basic" 
/AUTH_HTTP_LIST_OUTPUT/RESPONSE/AUTH_POSTGRESQL_LIST/AUTH_POSTGRESQL/ 
PRIVATE_KEY_CERTIFICATE_LIST/PRIVATE_KEY_CERTIFICATE/PASSPHRASE_INFO (DIGITAL_VAULT?) 

attribute: type (basic|vault) "basic" 
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MongoDB-specific elements (in bold) are described below. 


XPath 


element specifications / notes 


/AUTH. HTTP LIST. OUTPUT/RESPONSE/AUTH. MONGODB LIST/AUTH. MONGODB 


(ID, TITLE, USERNAME?, CREDENTIAL TYPE?, CLEARTEXT?, DATABASE, PORT, 
UNIX CONFIGURATION FILE, SSL VERIFY?, HOSTS?, IP SET?, 
LOGIN TYPE?, DIGITAL VAULT?, PRIVATE KEY CERTIFICATE LIST?, 


NETWORK ID?, CREATED, LAST. MODIFIED, COMMENTS?) 
/AUTH. HTTP LIST. OUTPUT/RESPONSE/AUTH. MONGODB LIST/AUTH. MONGODB/ 

USERNAME (#PCDATA) 

The user name used for authentication. 

/AUTH. HTTP LIST. OUTPUT/RESPONSE/AUTH. MONGODB LIST/AUTH. MONGODB/ 
CREDENTIAL TYPE (#PCDATA) 

The credential type used for authentication 
/AUTH. HTTP LIST. OUTPUT/RESPONSE/AUTH. MONGODB LIST/AUTH. MONGODB/ 

CLEARTEXT (#PCDATA 

The cleartext option used for external LDAP authentication. 
/AUTH. HTTP. LIST. OUTPUT/RESPONSE/AUTH. MONGODB. LIST/AUTH. MONGODB/ 

DATABASE (#PCDATA) 

The database instance you want to authenticate to. 
/AUTH_HTTP_LIST_OUTPUT/RESPONSE/AUTH_MONGODB_LIST/AUTH_MONGODB/ 

PORT (#PCDATA) 

The port where the MongoDB instance is running. 
/AUTH_HTTP_LIST_OUTPUT/RESPONSE/AUTH_MONGODB_LIST/AUTH_MONGODB/ 

SSL_VERIFY (#PCDATA) 
means SSL verification is enabled; 0 means it is not enabled. 
/AUTH_HTTP_LIST_OUTPUT/RESPONSE/AUTH_MONGODB_LIST/AUTH_MONGODB/ 
HOSTS (#PCDATA 

A list of FQDNs for all host IP addresses on which a custom SSL certificate 

signed by a trusted root CA is installed. 
/AUTH_HTTP_LIST_OUTPUT/RESPONSE/AUTH_MONGODB_LIST/AUTH_MONGODB/ 

LOGIN. TYPE (#PCDATA) 

Login type is "vault" when a vault is defined for the record. 
/AUTH. HTTP LIST. OUTPUT/RESPONSE/AUTH. MONGODB LIST/AUTH. MONGODB/ 
DIGITAL VAULT 

(DIGITAL VAULT ID, DIGITAL VAULT. TYPE, DIGITAL VAULT. TITLE, 

VAULT. FOLDER?, VAULT_FILE?, VAULT SECRET. NAME?, 

VAULT. SYSTEM. NAME?, VAULT EP NAME?, VAULT EP TYPE?, 

VAULT EP CONT?, VAULT ACCOUNT. NAME?, VAULT SECRET. KV PATH?, 

VAULT. SECRET. KV. NAME?, VAULT. SECRET. KV. KEY?) 

Vault information, when a vault is defined for the record. 
/AUTH_HTTP_LIST_OUTPUT/RESPONSE/AUTH_MONGODB_LIST/AUTH_MONGODB/ 
UNIX_CONF_FILE (#PCDATA) 

The full path to the MongoDB configuration file on your Unix assets (IP 

addresses). 
/AUTH_HTTP_LIST_OUTPUT/RESPONSE/AUTH_MONGODB_LIST/AUTH_MONGODB/ 
PRIVATE_KEY_CERTIFICATE_LIST (PRIVATE_KEY_CERTIFICATE)* 
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XPath element specifications / notes 
/AUTH HTTP LIST. OUTPUT/RESPONSE/AUTH. MONGODB LIST/AUTH. MONGODB/ 
PRIVATE KEY CE FICATE. LIST/PRIVATE. KEY CERTIFICATE 


(ID, PRIVATE. KEY INFO, PASSPHRAS RTIFICATE?) 


/AUTH HTTP LIST. OUTPUT/RESPONSE/AUTH. MONGODB LIST/AUTH. MONGODB/ 
PRIVATE. KEY CERTIFICATE. LIST/PRIV: FICATE/ID 


The private certificate ID. 


/AUTH. HTTP LIST. OUTPUT/RESPONSE/AUTH. MONGODB. LIST/AUTH. MONGODB/ 
PRIVATE. KEY. CERTIFICATE. LIST/PRIVATE. KEY. CERTIFICATE/PRIVATE. KEY INFO 


(PRIVATE. KEYIDIGITAL VAULT) 
attribute: type (basic|vault) "basic" 


/AUTH HTTP LIST. OUTPUT/RESPONSE/AUTH. MONGODB LIST/AUTH. MONGODB/ 
PRIVATE KEY CERTIFICATE, LIST/PRIVATE. KEY CERTIFICATE/PASSPHRASE INFO (DIGITAL VAULT?) 
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attribute: type (basic|vault) "basic" 


Palo Alto Firewall Response 
Palo Alto Firewall-specific elements (in bold) are described below. 


XPath element specifications / notes 


/AUTH HTTP LIST. OUTPUT/RESPONSE/AUTH PALO ALTO FIREWALL LIST/ 
AUTH PALO ALTO FIREWALL 


(ID, TITLE, USERNAME?, SSL VERIEY, IP SET?, LOGIN TYPE?, 
DIGITAL VAULT?, NETWORK ID?, CREATED, LAST. MODIFIED, 
COMMENTS?) 


/AUTH. HTTP LIST. OUTPUT/RESPONSE/AUTH. PALO ALTO FIREWALL LIST/ 
AUTH PALO ALTO FIREWALL/USERNAME (#PCDATA) 


The user name used for authentication. 


E E RESPONSE/AUTH PALO ALTO FIREWALL LIST/ 
AUTH PALO ALTO FIREWALL/SSL VERIFY (4PCDATA) 


1 means SSL verification is enabled; 0 means itis not enabled. 


/AUTH. HTTP LIST. OUTPUT/RESPONSE/AUTH PALO ALTO FIREWALL LIST/ 
AUTH PALO ALTO FIREWALL/LOGIN. TYPE (#PCDATA) 


Login type is "vault" when a vault is defined for the record. 


TP. LIST OUTPUT/RESPONSE/AUTH. PALO ALTO FIREWALL LIST/ 
AUTH PALO ALTO FIREWALL/DIGITAL VAULT 


(DIGITAL VAULT ID, DIGITAL VAULT. TYPE, DIGITAL VAULT. TITLE, 
VAULT. FOLDER?, VAULT_FILE?, VAULT SECRET. NAME?, 
VAULT. SYSTEM. NAME?, VAULT ACCOUNT. NAME?) 


Vault information, when a vault is defined for the record. 


JBoss Server Response 


JBoss Server-specific elements (in bold) are described below. 
XPath element specifications / notes 
/AUTH_JBOSS_OUTPUT/RESPONSE 


(DATETIME, (AUTH_JBOSS_LIST|ID_SET)?, WARNING LIST?, 
GLOSSARY?)> 
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element specifications / notes 


/AUTH JBOSS. OU 


PUT/RESPONSE/AUTH JBOSS LISTJID. SET 


One or more JBoss authentication record IDs. 


/AUTH_JBOSS_OU 


PUT/RESPONSE/AUTH_JBOSS_LIST/AUTH_JBOSS 


ID, TITLE, IP SET, WINDOWS ?, UNIX?, NETWORK ID?, CREATED, 
LAST. MODIFIED, COMMENTS?) 


/AUTH JBOSS OUTPUT/RESPONSE/AUTH JBOSS LIST/AUTH JBOSS/WINDOWS 


(HOME. PAT 


CONF HOST. FILE PATH?) 


H?, DOMAIN MODE?, 


BASE PATH?, CONF DIR PATH?, CONF FILE PATH?, 


Windows platform configuration settings 


/AUTH JBOSS OUTPUT/RESPONSE/AUTH JBOSS LIST/AUTH. JBOSS/UNIX 


(HOME. PAT 


CONF HOST. FILE PATH?) 


H?, DOMAIN MODE?, 


BASE PATH?, CONF DIR PATH?, CONF FILE PATH?, 


Unix platform configuration settings 


InformixDB Response 


InformixDB-specific elements (in bold) are described below. 


XPath 


element specifications / notes 


/AUTH INFORMIXDB LIST OUTPUT/RESPONSE/AUTH INFORMIXDB LIST/AUTH. INFORMIXDB 


ID, TITLE, USERNAME, DATABASE, SERVER?, PORT, UNIX?, SSL VERIFY?, 
HOSTS?, IP SET?, LOGIN TYPE?,NETWORK ID?, CREATED, LAST. MODIFIED, 
COMMENTS?) 


/AUTH INFORMIXDB LIST OUTP 


UT/RESPONSE/AUTH_INFORMIXDB_LIST/AUTH_INFORMIXDB/USERNAME 


[The user name used for authentication. 


/AUTH_INFORMIXDB_LIST_OUTP 


UT/RESPONSE/AUTH_INFORMIXDB_LIST/AU NFORMIXDB/DATABASE 


[he database that will be authenticated to. 


/AUTH_INFORMIXDB_LIST_OUTP 


UT/RESPONSE/AUTH_INFORMIXDB_LIST/AU NFORMIXDB/SERVER 


[he unique name of the database server that will be authenticated to. 


/AUTH_INFORMIXDB_LIST_OUTP 


UT/RESPONSE/AUTH_INFORMIXDB_LIST/AUTH_INFORMIXDB/PORT 


The port the database is running on. 


/AUTH_INFORMIXDB_LIST_OUTP 


UT/RESPONSE/AUTH_INFORMIXDB_LIST/AUTH_INFORMIXDB/UNIX 
(CONFIG_PATH?, ONCONFIG?, SOLHOSTS?) 


Enter the full path to the InformixDB configuration files on your Unix hosts. 


/AUTH_INFORMIXDB_LIST_OUTPUT/RESPONSE/AUTH_INFORMIXDB_LIST/AUTH_INFORMIXDB/SSL_VERIFY 


(#PCDATA) 


A flag indicating whether complete SSL certificate validation is enabled. 
The value 1 (enabled) means we'll send a login request after verifying that a 
connection the InformixDB server uses SSL, the server SSL certificate is 
valid and matches the scanned host. The value 0 (disabled) means we'll 
attempt authentication with InformixDB servers that do and do not use 
SSL; in the case of SSL the server SSL certificate verification will be skipped. 


/AUTH_INFORMIXDB_LIST_OUTPUT/RESPONSE/AUTH_INFORMIXDB_LIST/AUTH_INFORMIXDB/HOSTS 


(#PCDATA) 
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XPath element specifications / notes 
A list of FQDNs for the hosts that correspond to all host IP addresses on 
which a custom SSL certificate signed by a trusted root CA is installed. 


/KUTH INFORMIXDB LIST. OUTPUT/RESPONSE/AUTH. INFORMIXDB LIST/AUTH. INFORMIXDB/LOGIN. TYP 
E (4PCDATA) 


Login type is basic by default. 


Oracle HTTP Server Response 


Oracle HTTP Server-specific elements (in bold) are described below. 


XPath element specifications / notes 


/AUTH. ORACLE HTTP SERVER LIST OUTPUT/RESPONSE/AUTH. ORACLE HTTP SERVER. LIST/AUTH. ORAC 
DESENELPESERVER 


(ID, TITLE, IP. SET, WINDOWS ?, UNIX?, NETWORK ID?, CREATED, 

LAST. MODIFIED, COMMENTS?) 

/AUTH. ORACLE. HTTP SERVER OUTPUT/RESPONSE/AUTH. ORACLE. HTTP. SERVER LIST/AUTH. ORACLE H 
TTP. SERVER/WINDOWS 
(HOME PATH?, DOMAIN. PATH?, INST. PATH?, INST. NAM E?) 


Windows platform configuration settings 


/AUTH ORACLE HTTP. SERVER. OUTPUT/RESPONSE/AUTH. ORACLE HTTP SERVER. LIST/AUTH. ORACLE H 
TTP. SERVER/UNIX 
(HOME PATH?, DOMAIN. PATH?, INST. PATH?, INST. NAME?) 


Unix platform configuration settings 


Pivotal Greenplum Response 


Pivitol Greenplum specific elements (in bold) are described below. 


XPath element specifications / notes 
/AUTH. GREENPLUM LIST. OUTPUT/RESPONSE/AUTH. GREENPLUM LISTJID. SET/AUTH. GREENPLUM 


ID, TITLE, USERNAME, DATABASE, PORT, SSL VERIEY, HOSTS?, IP SET?, 
LOGIN TYPE?, DIGITAL VAULT?, UNIX CONF FILE, 

PRIVATE KEY CERTIFICATE LIST?, NETWORK ID?, CREATED, 

LAST. MODIFIED, COMMENTS 2) 


/AUTH. GREENPLUM. LIST. OUTPUT/RESPONSE/AUTH. GREENPLUM LISTJID. SET/AUTH. GREENPLUM/USERN 
AME? (#PCDATA) 


The user name used for authentication. 
/AUTH_GREENPLUM_LIST_OUTPUT/RESPONSE/AUTH_GREENPLUM_LIST|ID_SET/AUTH_GREENPLUM/DATAB 


The database instance you want to authenticate to. 


/AUTH_GREENPLUM_LIST_OUTPUT/RESPONSE/AUTH_GREENPLUM_LIST|ID_SET/AUTH_GREENPLUM/PORT 
(#PCDATA) 


The port where the database instance is running. Default is 5432. 


/AUTH_GREENPLUM_LIST_OUTPUT/RESPONSE/AUTH_GREENPLUM_LIST|ID_SET/AUTH_GREENPLUM/SSL_V 
ERIFY (#PCDATA) 


SSL verification is skipped by default. Set to 1 if you want to verify the 
server's certificate is valid and trusted. 
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XPath element specifications / notes 


/AUTH. GREENPLUM LIST. OUTPUT/RESPONSE/AUTH. GREENPLUM LISTJID. SET/AUTH. GREENPLUM/HOSTS 
? (4PCDATA) 


(Required if ssl_verify=1) A list of FQDNs for all host IP addresses on which 
a custom SSL certificate signed by a trusted root CA is installed. 


/AUTH_GREENPLUM_LIST_OUTPUT/RESPONSE/AUTH_GREENPLUM_LIST|ID_SET/AUTH_GREENPLUM/DIGIT 
AL_VAULT? (#PCDATA) 


Vault information, when a vault is defined for the record. See Vault 
Information. 


/AUTH_GREENPLUM_LIST_OUTPUT/RESPONSE/AUTH_GREENPLUM_LIST|ID_SET/AUTH_GREENPLUM/UNIX_ 
CONF_FILE (#PCDATA) 


The full path to the configuration file (postgresql.conf) on your Unix assets 
(IP addresses). The file must be in the same location on all assets for this 


/AUTH_GREENPLUM_LIST_OUTPUT/RESPONSE/AUTH_GREENPLUM_LIST|ID_SET/AUTH_GREENPLUM/PRIVA 
KEY_CERTIFICATE)* 
S 


PONSE/AUTH. GREENPLUM LISTJID. SET/AUTH. GREENPLUM/PRIVA 
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(ID, PRIVAT E KEY INFO, PASSPHRASE INFO, CERTIFICATE?) 
GREENPLUM LISTJID. SET/AUTH. GREE 


AUTH. GREENPLUM. LIST. OUTPUT/RESPONSE/AUT ENPLUM_LIST|ID_S 


BIEN, ERTIFICAT E/PRIVATE_KEY_INFO 
(PRIVATE_KEY|DIGITAL_VAULT) 
attribute: type (basic|vault) "basic" 


/AUTH_GREENPLUM_LIST_OUTPUT/RESPONSE/AUTH_GREENPLUM_LIST|ID_SET/AUTH_GREENPLUM/PRIVA 
TE_KEY_CERTIFICATE_LIST?/PRIVATE_KEY_CERTIFICATE/PASSPHRASE_INFO(DIGITAL_VAULT?) 


ttribute: type (basic|vault) "basic" 


/AUTH_GREENPLUM_LIST_OUTPUT/RESPONSE/AUTH_GREENPLUM_LIST|ID_SET/AUTH_GREENPLUM/PRIVA 
TE_KEY_CERTIFICATE_LIST?/PRIVATE_KEY_CERTIFICATE/CERTIFICATE? 


The private key certificate. 
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SAP IO Response 
SAP IQ specific elements (in bold) are described below. 


XPath element specifications / notes 
/AUTH_SAPIQ_LIST_OUTPUT/RESPONSE/AUTH_SAPIQ_LIST/AUTH_SAP_IQ 


(ID, TITLE, USERNAME, IP_SET?, DATABASE, PORT, INSTALLATION DIR?, 
PASSWORD ENCRYPTION?, LOGIN TYPE?, DIGITAL VAULT?, 
NETWORK. ID?, CREATED, LAST. MODIFIED, COMMENTS?) 


/AUTH SAPIO LIST OUTPUT/RESPONSE/AUTH. SAPIO LIST/AUTH. SAP. I0/USERNAME? (#PCDATA) 


The user name used for authentication. 
/AUTH_SAPIQ_LIST_OUTPUT/RESPONSE/AUTH_SAPIQ_LIST/AUTH_SAP_IQ/DATABASE (#PCDATA) 
The database instance you want to authenticate to. 
/AUTH_SAPIQ_LIST_OUTPUT/RESPONSE/AUTH_SAPIQ_LIST/AUTH_SAP_IQ/PORT (#PCDATA) 


[he port where the database instance is running. 
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/AUTH. SAPIO, LIST OUTPUT/RESPONSE/AUTH. SAPIO, LIST/AUTH. SAP IO/INSTALLATION DIR (4PCDATA) 


The database installation directory for scanning Unix hosts. 


/AUTH. SAPIO LIST OUTPUT/RESPONSE/AUTH SAPIO LIST/AUTH SAP 


Q/PASSWORD_ENCRYPTION 


(#PCDATA) 
1 means password encryption is enabled in the record and 0 (the default) 
means password encryption is not enabled. 
/AUTH_SAPIQ_LIST_OUTPUT/RESPONSE/AUTH_SAPIQ_LIST/AUTH_SAP_IQ/LOGIN_TYPE (#PCDATA) 


Login 


ll be used to retrieve the p 


type can be basic (default) or vault. 
party vault wi 


Set to vault if a third 


assword. 


/AUTH_SAPIQ_LIST_OUTPUT/RESPONS 


(DIGITAL_VAULT_ID, DIGIT 


E/AUTH_SAPIQ_LIST/AUTH_ 


[AL VAU 


SARE 


LI 1084218 


O/DIGITAL VAULT 


DEAL, WANUIIEIE elik JE, 


VAULT. USERNAME?, VAULT. FOLDER?, VAULT. FILE?, 

VAULT. SECRET. NAME?, VAULT. SYSTEM. NAME?, VAULT NS. TYPE?, 
VAULT. NS NAME?, VAULT. SECRET. KV PATH?, 

VAULT. SECRET. KV. NAME?, VAULT. SECRET. KV KEY?, 
VAULT_SERVIGE_TYPE ?) 

Vault information, when a vault is defined for the record. See Vault 
Information. 


SAP Hana Response 


SAP Hana specific elements (in bold) are described below. 


XPath element specifications / notes 
/AUTH_SAP_HANA_LIST_OUTPUT/RESPONSE/AUTH_SAP_HANA_LIST/AUTH_SAP_HANA 

(ID, TITLE, USERNAME, DATABASE, PORT, SSL VERIFY?, HOSTS?, 

IP_SET?, UNIX CONF PATH?, PASSWORD ENCRYPTION?, LOGIN TYPE?, 

DIGITAL VAULT?, NETWORK ID?, CREATED, LAST. MODIFIED, 

COMMENTS?) 

/AUTH. SAP HANA LIST OUTPUT/RESPONSE/AUTH. SAP HANA LIST/AUTH. SAP HANA/USERNAME? 
(#PCDATA) 

The user name used for authentication. 
/AUTH_SAP_HANA_LIST_OUTPUT/RESPONSE/AUTH_SAP_HANA_LIST/AUTH_SAP_HANA/DATABASE 
(#PCDATA) 

The database instance you want to authenticate to. 
/AUTH_SAP_HANA_LIST_OUTPUT/RESPONSE/AUTH_SAP_HANA_LIST/AUTH_SAP_HANA/PORT (#PCDATA) 

The port where the database instance is running. 
/AUTH_SAP_HANA_LIST_OUTPUT/RESPONSE/AUTH_SAP_HANA_LIST/AUTH_SAP_HANA/SSL_VERIFY 
(#PCDATA) 

means SSL verification is enabled; 0 means it is not enabled. 
/AUTH_SAP_HANA_LIST_OUTPUT/RESPONSE/AUTH_SAP_HANA_LIST/AUTH_SAP_HANA/HOSTS (HOST+) 
/AUTH_SAP_HANA_LIST_OUTPUT/RESPONSE/AUTH_SAP_HANA_LIST/AUTH_SAP_HANA/HOSTS/HOST 
(#PCDATA) 

A list of FQDNs for all host IP addresses on which a custom SSL certificate 

signed by a trusted root CA is installed. 
/AUTH_SAP_HANA_LIST_OUTPUT/RESPONSE/AUTH_SAP_HANA_LIST/AUTH_SAP_HANA/UNIX_CONF_PATH 
(#PCDATA) 
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The full path to the SAP HANA configuration file on your Unix assets (IP 
addresses). 


/AUTH. SAP HANA LIS 


OUTPUT/RESPONSE/AUTH. SAP HANA LIST/AUTH. SAP HANA/ 


PASSWORD. ENCRYPTION (#PCDATA) 


means password encryption is enabled in the record and 0 (the default) 
means password encryption is not enabled. 


/AUTH. SAP HANA LIS 


(#PCDATA) 


OUTPU 


/RESPONSE/AUTH_SAP_HANA_LIST/AUTH_SAP_HANA/LOGIN_TYPE 


Login type can be basic (the default) or vault. Set to vault if a third 
party vault will be used to retrieve the password. 


/AUTH_SAP_HANA_LIST_OUTPUT/RESPONSE/AUTH_SAP_HANA_LIST/AUTH_SAP_HANA/DIGITAL_VAULT 


DIGITAL VAULT ID, DIGITAL VAULT TYPE, DIGITAL VAULT TITLE, 
VAULT_USERNAME?, VAULT_FOLDER?, VAULT_FILE?, 
VAULT_SECRET_NAME?, VAULT_SYSTEM_NAME?, VAULT_NS_TYPE?, 
VAULT_NS_NAME?, VAULT_SECRET_KV_PATH?, 
VAULT_SECRET_KV_NAME?, VAULT_SECRET_KV_KEY?, 
VAULT_SERVICE_TYPE?) 


Vault information, when a vault is defined for the record. See Vault 
Information. 


Microsoft SharePoint Response 
Microsoft SharePoint specific elements (in bold) are described below. 
XPath element specifications / notes 
/AUTH_MICROSOFT_SHAREPOINT_LIST_OUTPUT/RESPONSE/AUTH_MICROSOFT_SHAREPOINT_LIST|ID_SET 
/AUTH_MICROSOFT_SHAREPOINT 
ID, TITLE, USERNAME?, IP SET?, MSSQL?, LOGIN TYPE?, DIGITAL VAULT?, 
NETWORK ID?, CREATED, LAST. MODIFIED, COMMENTS?) 
/AUTH. MICROSOFT. SHAREPOINT. LIST. OUTPUT/RESPONSE/AUTH. MICROSOFT. SHAREPOINT. LIST|ID. SET 
/AUTH. MICROSOFT. SHAREPOINT/USERNAME? (#PCDATA) 


The user name used for authentication. 


/AUTH MICROSOFT. S 


/AUTH MICROSOFT. SHAR 


EPO 


EPO 


NT. LIST OUTPUT/RESPONSE/AUTH. MICROSOFT. SHAREPOINT LISTJID. SET 
NT/MSSOL? (4 PCDATA) 


(DB. LOCAL?, WINDOWS. DOMAIN?, KERBEROS?, NTLMV2?, NTLMV1?) 
Values for MS SOL parameters. 


CROSO 
CROSO 


/AUTH 
/AUTH 


EPO 


NT_LIST_OUTPUT/RESPONSE/AUTH_MICROSOFT_SHAREPOINT_LIST|ID_SET 
EPOINT/DIGITAL_VAULT? (#PCDATA) 


Vault information, when a vault is defined for the record. See Vault 
Information. 


Vault Information 


A vault may be defined for certain record types. Note that <TYPE> is the authentication 
type (i.e. windows, unix). 


XPath 


element specifications / notes 


/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/AUTH_<TYPE>_LIST/AUTH_<TYPE>/ 
LOGIN_TYPE (#PCDATA) 
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Login type is “vault” when a vault is defined for the record. 


/AUTH <TYPE> LIST OUTPUT/RESPONSE/AUTH. <TYPE> LIST/AUTH. <TYPE>/DIGITAL VAULT 


(DIGITAL VAULT ID, DIGITAL VAULT. TYPE, DIGITAL VAULT. TITLE, 
VAULT_USERNAME?, VAULT_FOLDER?, VAULT_FILE?, 
VAULT_SECRET_NAME?, VAULT_SYSTEM_NAME?, VAULT_EP_NAME?, 
VAULT_EP_TYPE?, VAULT_EP_CONT?, VAULT_NS_TYPE?, 
VAULT_NS_NAME?, VAULT_ACCOUNT_NAME?, 
VAULT_AUTHORIZATION_NAME?, VAULT_TARGET_NAME?) 


The sub-elements under <DIGITAL_VAULT> differ per record type 
(technology). 


/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/AU IBER MISA <TYPE>/DIGITAL_VAULT/ 


The vault ID. 


ESPONSE/AU <TYPE>_LIST/AU <TYPE>/DIGITAL_VAULT/ 
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The vault type. 
/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/AU <TYPE>_LIST/AU <TYPE>/DIGITAL_VAULT/ 


The vault title. 
/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/AU <TYPE> LIST/AU <TYPE>/DIGITAL_VAULT/ 


[he user name of vault account. 
/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/AUTH_<TYPE>LIST/AUTH_<TYPE>/DIGITAL_VAULT/ 


VAULT_FOLDER (#PCDATA) 


The name of the folder in the secure digital safe where the password to be 
used for authentication should be stored.q 


/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/AUTH_<TYPE>_LIST/AUTH_<TYPE>/DIGITAL_VAULT/ 
VAULT_FILE (#PCDATA) 


The name of the file in the secure digital safe where the password to be 
used for authentication should be stored. 


/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/AUTH_<TYPE>LIST/AUTH_<TYPE>/DIGITAL_VAULT/ 
VAULT_SECRET_NAME (#PCDATA) 


The secret name that contains the password to be used for authentication. 
/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/AUTH_<TYPE>_LIST/AUTH_<TYPE>/DIGITAL_VAULT/ 


VAU LT SYSTEM. NAME (#PCDATA) 


The system name. During a scan we'll perform a search for the system 
name and then retrieve the password. A single exact match of the system 
name must be found in order for authentication to be successful. 


/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/AUTH_<TYPE>_LIST/AUTH_<TYPE>/DIGITAL_VAULT/ 
VAULT_EP_NAME (#PCDATA) 


The End-Point name identifies a managed system, either a target for local 
accounts or a domain controller for domain accounts. 


/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/AUTH_<TYPE>_LIST/AUTH_<TYPE>/DIGITAL_VAULT/ 
VAULT_EP_TYPE (#PCDATA) 


The End-Point type represents the method of access to the End-Point 
system. 


/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/AUTH_<TYPE>_LIST/AUTH_<TYPE>/DIGITAL_VAULT/ 
VAULT_EP_CONT (#PCDATA) 
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The End-Point container. 
/AUTH <TYPE> LIST OUTPUT/RESPONSE/AUTH <TYPE> LIST/AUTH. <TYPE>/DIGITAL, VAULT/ 
VAULT NS TYPE (#PCDATA) 

If vault type is Lieberman ERPM, the system type: auto, windows, unix, 

oracle, mssg, ldap, cisco, custom. 
/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/AUTH_<TYPE>_LIST/AUTH_<TYPE>/DIGITAL_VAULT/ 
VAULT_NS_NAME (#PCDATA) 

The custom system type name (valid only when VAULT. NS TYPE=custom). 
/AUTH <TYPE> LIST OUTPUT/RESPONSE/AUTH. <TYPE> LIST/AUTH. <TYPE>/DIGITAL, VAULT/ 
VAULT. ACCOUNT. NAME (#PCDATA) 

The account name for vault type BeyondTrust PBPS. 
/AUTH <TYPE> LIST OUTPUT/RESPONSE/AUTH. <TYPE> LIST/AUTH. <TYPE>/DIGITAL, VAULT/ 
VAULT. AUTHORIZATION. NAME (#PCDATA) 

The authorization name for vault type Wallix AdminBastion (WAB). 
/AUTH <TYPE> LIST OUTPUT/RESPONSE/AUTH. <TYPE> LIST/AUTH. <TYPE>/DIGITAL, VAULT/ 
VAULT. TARGET. NAME (#PCDATA) 

The target name for vault type Wallix AdminBastion (WAB). 


Warning List 


Note that <TYPE> is the authentication type. 

XPath element specifications / notes 

/AUTH <TYPE> LIST OUTPUT/RESPONSE/WARNING LIST (WARNING+) 

/AUTH <TYPE> LIST OUTPUT/RESPONSE/WARNING LIST/WARNING  (CODE?, TEXT, URL?, ID SET?) 

/AUTH <TYPE> LIST OUTPUT/RESPONSE/WARNING LIST/WARNING/CODE (#PCDATA) 
A warning code. A warning code appears when the API reguest identifies 
more than 1,000 records. 

/AUTH <TYPE> LIST OUTPUT/RESPONSE/WARNING LIST/WARNING/TEXT (#PCDATA) 
A warning message. A warning message appears when the API reguest 
identifies more than 1,000 records. 

/AUTH <TYPE> LIST OUTPUT/RESPONSE/WARNING LIST/WARNING/URL  (#PCDATA) 
The URL for making another API reguest for the next batch of 
authentication records. 

/AUTH <TYPE> LIST OUTPUT/RESPONSE/WARNING LIST/WARNING/ID SET (IDJID RANGE) 

/AUTH <TYPE> LIST OUTPUT/RESPONSE/WARNING LIST/WARNING/ID SET/ID (#PCDATA) 
An authentication record ID. 

/AUTH <TYPE> LIST OUTPUT/RESPONSE/WARNING LIST/WARNING/ID SET/ID RANGE (#PCDATA) 
A range of authentication record IDs. 
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Glossary 


a 


<TYPE> is the authentication type, such as: unix, windows, oracle, samp, etc. 


XPath element specifications / notes 
/AUTH_<TYPE>_LIST_OUTPUT/RESPONSE/GLOSSARY — (USER LIST?) 


/AUTH <TYPE> LIST OUTPUT/RESPONSE/GLOSSARY/USER LIST  (USER+) 


A list of users who created authentication records in the authentication 
record list by type output. 


/AUTH. <TYPE> LIST. OUTPUT/RESPONSE/GLOSSARY/USER LIST /USER 

(USER. LOGIN, FIRST. NAME, LAST. NAME) 

/AUTH <TYPE> LIST OUTPUT/RESPONSE/GLOSSARY/USER LIST /USER (#PCDATA) 
A user login ID. 
/AUTH <TYPE> LIST OUTPUT/RESPONSE/GLOSSARY/USER LIST /FIRST NAME (#PCDATA) 
The first name of the account user. 

/AUTH <TYPE> LIST OUTPUT/RESPONSE/GLOSSARY/USER LIST /LAST NAME  (#PCDATA) 


The last name of the account user. 
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Authentication Vault List Output 


API used 
<platform API server>/api/2.0/fo/vault/ with action=list 


DTD for Authentication Vault List Output 
<platform API server>/api/2.0/fo/vault/vault_output.dtd 
A recent DTD is shown below. 


<!-- QUALYS VAULT OUTPUT DTD --> 


<!ELEMENT AUTH VAULT LIST OUTPUT (REQUEST?, RESPONSE) > 


<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 
NT DATETIME (#PCDATA) > 
<!ELEMENT USER LOGIN (#PCDATA) > 
<!ELEMENT RESOURCE (#PCDATA) > 
<!ELEMENT PARAM LIST (PARAM+) > 

N 

N 

N 


<!ELEME 


<!ELE T PARA (KEY, VALUE) > 

<!ELE T KEY (#PCDATA) > 

<!ELE T VALUE (#PCDATA) > 

<!-- if returned, POST DATA will be urlencoded --> 
<!ELE POST DATA (#PCDATA) > 


Cpe RZ 


T 
LA 
3 
3 


<!ELEMENT RESPONSE (DATETIME, STATUS, COUNT, AUTH VAULTS) > 
<!ELEMENT STATUS (#PCDATA) > 
<!ELEMENT COUNT (#PCDATA) > 


<!ELEMENT AUTH VAULTS (AUTH VAULT*) > 

<!ELEMENT AUTH VAULT (UUID?, TITLE, VAULT TYPE, LAST MODIFIED?, 
LAST MODIFIED DATE?, SERVER ADDRESS?, ID?)> 
T UUID (#PCDATA) > 

T ID (#PCDATA) > 
T TITLE (#PCDATA) > 

PCDATA) > 

T SERVER ADDRESS (#PCDATA) > 
<!ELEMENT LAST MODIFIED DATE (#PCDATA) > 
<!ELEMENT LAST MODIFIED (DATETIME, BY)> 
<!ELEMENT BY (#PCDATA) > 


<!ELE 
<!ELE 
<!ELE 
<!ELE 
<! ELEME 


ei te. tel E 


2222222 

< 
D 
< 
Fa 
4 
K 
HU 

zJ 


XPaths for Authentication Vault List Output 


XPath element specifications / notes 
/AUTH. VAULT LIST. OUTPUT (REOUEST?, RESPONSE) 


/AUTH VAULT LIST. OUTPUT/REOUEST 
(DATETIME, USER. LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 
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/AUTH VAULT LIST OUTPUT/REOUEST/DATETIME — (4PCDATA) 


e date and time of the API request. 
EST/USER LOGIN (#PCDATA) 


/AUTH. VAULT. LIST. OUTPUT/REOI! 


3 
1 


h 

U 

he user login ID of the user who made the reguest. 
/AUTH VAULT LIST OUTPUT/REOUEST/RESOURCE (#PCDATA) 

h 

U 

U 

U 


$ 
1 


e resource specified for the request. 


/AUTH_VAUL _OUTPUT/REQUEST/PARAM_LIST (PARAM+) 
/AUTH_VAULT_LIST_OUTPUT/REQUEST/PARAM_LIST/PARAM (KEY, VALUE) 
/AUTH VAULT LIST OUTPUT/REOUEST/PARAM LIST/PARAM/KEY  (#PCDATA) 


> 


n input parameter name. 
/AUTH VAULT LIST OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE — (4PCDATA) 


> 


n input parameter value. 

/AUTH VAULT LIST OUTPUT/REOUEST/POST DATA  (#PCDATA) 
The POST data, if any. 

/AUTH. VAULT LIST OUTPU (REOUEST?, RESPONSE) 

/AUTH. VAULT. LIST. OUTPUT/RESPONSE 
(DATETIME, STATUS, COUNT, AUTH. VAULTS) 

/AUTH VAULT LIST OUTPUT/RESPONSE/DATETIME (#PCDATA) 

The date and time of the response. 

/AUTH VAULT LIST OUTPUT/RESPONSE/STATUS (4PCDATA) 

Status of the API request if it is successful or not. 
/AUTH VAULT LIST OUTPUT/RESPONSE/COUNT (4PCDATA) 

Number of authentication records in the response. 
/AUTH VAULT LIST OUTPUT/RESPONSE/AUTH. VAULTS (AUTH_VAULT") 


S 
(UUID?, TITLE, VAULT. TYPE, LAST. MODIFIED?, 
LAST. MODIFIED DATE?, SERVER. ADDRESS?, ID?) 


/AUTH VAULT LIST OUTPUT/RESPONSE/AUTH. VAULTS/AUTH VAULT/UUID  (*PCDATA) 
The UUID of the vault if available. 
/AUTH_VAULT_LIST_OUTPUT/RESPONSE/AUTH_VAULTS/AUTH_VAULT/TITLE (#PCDATA) 
The vault title. 
/AUTH_VAULT_LIST_OUTPUT/RESPONSE/AUTH_VAULTS/AUTH_VAULT/VAULT_TYPE (#PCDATA) 


The vault type, one of: CyberArk PIM Suite, CyberArk AIM, Thycotic Secret 
Server, Quest Vault, CA Access Control, Hitachi ID PAM, Lieberman ERPM, 
BeyondTrust PBPS 


/AUTH_VAULT_LIST_OUTPUT/RESPONSE/AUTH_VAULTS/AUTH_VAULT/ 
LAST_MODIFIED (DATETIME, BY?) 


The date/time the vault was last modified, and the username of the user 
who made the change. 


/AUTH_VAULT_LIST_OUTPUT/RESPONSE/AUTH_VAULTS/AUTH_VAULT/ 
SERVER ADDRESS (#PCDATA) 


The IP address of vault server. Valid for: CyberArk PIM Suite, Ouest Vault. 
/AUTH VAULT LIST OUTPUT/RESPONSE/AUTH. VAULTS/AUTH VAULT/ID (#PCDATA) 
The vault ID. 
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Authentication Vault View Output 
API used 


<platform API server>/api/2.0/fo/vault/ with action=view 


DTD for Authentication Vault View Output 
<platform API server>/api/2.0/fo/vault/vault_view.dtd 
A recent DTD is shown below. 


<!-- QUALYS VAULT OUTPUT DTD --> 


<!ELEMENT VAULT OUTPUT (REQUEST?, RESPONSE) > 


<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 

POST DATA?) > 

<!ELEMENT DATETIME (#PCDATA) > 

<!ELEMENT USER LOGIN (#PCDATA) > 

<!ELEMENT RESOURCE (#PCDATA) > 

<!ELEMENT PARAM LIST (PARAM+) > 

<!ELEMENT PARAM (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 
M 
i 


zo] 


<!ELEMENT VALUE (#PCDATA)> 
<!-- if returned, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 


<!ELEMENT RESPONSE (DATETIME, VAULT QUEST) > 


<!ELEMENT VAULT QUEST (TITLE, COMMENTS, VAULT TYPE, CREATED ON?, OWNER?, 
LAST MODIFIED?, APPID?, APPKEY?, USERNAME?, URL?, 
SSL VERIFY?, DOMAIN?, API USERNAME?, 
WEB USERNAME?, SERVER ADDRESS?, PORT?, SAFE?, 
API VERSION?, AUTH TYPE?, PATH?, ROLE NAME?, 
ROLE ID?, SECRET ID?, APP ID?, (UUID|ID))> 
<!ELEMENT UUID (#PCDATA) > 

<!ELEMENT ID (#PCDATA) > 

<!ELEMENT TITLE (#PCDATA) > 

<!ELEMENT COMMENTS (#PCDATA) > 

<!ELEMENT VAULT TYPE (#PCDATA) > 

<!ELEMENT CREATED ON (#PCDATA) > 

<!ELEMENT OWNER (#PCDATA) > 

<!ELEMENT APPID (#PCDATA) > 

<!ELEMENT APPKE (#PCDATA) > 

<!ELEMENT USERNAME (#PCDATA) > 

<!ELEMENT URL (#PCDATA) > 

<!ELEMENT SSL VERIFY (#PCDATA) > 

<!ELE DATA) > 

<!ELEMENT API USERNAME (#PCDATA) > 

<!ELEMENT WEB USERNAME (#PCDATA) > 

<!ELEMENT SERVER ADDRESS (#PCDATA) > 

<!ELEMENT PORT (#PCDATA) > 

<!ELEMENT SAFE (#PCDATA) > 


T 
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<!ELEMENT API VERSION (#PCDATA) > 
<!ELEMENT AUTH TYPE (#PCDATA) > 
<!ELEMENT PATH (#PCDATA) > 
<!ELEMENT ROLE NAME (#PCDATA) > 
<!ELEMENT ROLE ID (#PCDATA) > 
<!ELEMENT SECRET ID (#PCDATA) > 

<!ELEMENT APP ID (#PCDATA) > 

<!ELEMENT LAST MODIFIED (DATETIME, BY?)> 
<!ELEMENT BY (#PCDATA) > 

<!-- EOF --> 


XPaths for Authentication Vault View Output 


XPath element specifications / notes 
/AUTH_VAULT_OUTPUT REQUEST?, RESPONSE) 
/AUTH_VAULT_OUTPUT/REQUEST 


DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA?) 
/AUTH_VAULT_OUTPUT/REQUEST/DATETIME (#PCDATA) 


The date and time of the API request. 
/AUTH_VAULT_OUTPUT/REQUEST/USER_LOGIN (#PCDATA) 

The user login ID of the user who made the request. 
/AUTH VAULT OUTPUT/REOUEST/RESOURCE (#PCDATA) 


The resource specified for the request. 
/AUTH VAULT OUTPUT/REOUEST/PARAM. LIST (PARAM+) 
/AUTH VAULT OU UEST/PARAM LIST/PARAM (KEY, VALUE) 
/AUTH VAULT OUTPUT/REOUEST/PARAM LIST/PARAM/KEY (#PCDATA) 
An input parameter name. 
/AUTH VAULT OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE — (*PCDATA) 
An input parameter value. 
/AUTH VAULT OUTPUT/REOUEST/POST DATA — (4PCDATA) 
The POST data, if any. 
UT REQUEST?, RESPONSE) 
/RESPONSE 
DATETIME, VAULT_QUEST) 
/AUTH VAULT OUTPUT/RESPONSE/DATETIME (#PCDATA) 

The date and time of the response. 
UT/RESPONSE/VAULT_QUEST 


(TITLE, COMMENTS, VAULT_TYPE, CREATED_ON?, OWNER?, 
LAST_MODIFIED?, APPID?, APPKEY?, USERNAME?, URL?, SSL_VERIFY?, 
DOMAIN?, API_USERNAME?, WEB_USERNAME?, SERVER_ADDRESS?, 
PORT?, SAFE?, API VERSION?, AUTH_TYPE?, PATH?, ROLE NAME?, 
ROLE_ID?, SECRET_ID?, APP_ID?, (UUID|ID)) 
Ib 


/AUTH_VAULT_OUTPUT/RESPONSE/VAULT_QUEST/TITLE (#PCDATA) 
The vault title. 
/AUTH_VAULT_OUTPUT/RESPONSE/VAULT_QUEST/COMMENTS (#PCDATA) 


5 
E 
< 
ps) 
tm 

FO 


/AUTH_VAULT_OU 
/AUTH_VAULT_OUTP 


ag) 


G 


/AUTH. VAULT. OU 


ag) 
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element specifications / notes 


User-defined 


comments for the vault. 


/AUTH VAULT OUTPUT/RESPONSE/VAULT. OUEST/VAULT. TYPE — (4PCDATA) 


The vault type, one of: CyberArk PIM Suite, CyberArk AIM, Thycotic Secret 
Server, Ouest Vault, CA Access Control, Hitachi ID PAM, Lieberman ERPM, 


BeyondTrust 


PBPS 


/A 


UL 


The date/tim 


ESPONSE/VAULT. OUEST/CREATED ON  (*PCDATA) 


e when the vault was first created. 


/A 


UL 


The vault owner. 


ESPONSE/VAULT_QUEST/OWNER — (4PCDATA) 


/A 


UL 


ESPO 


SE/VAULT OUEST/APPID — (*PCDATA) 
Application ID string defined by the customer. The application ID acts asan 


authenticato 


for our scanner to call CCP web services API. 


/A 


VEE 


The applicati 


ESPONSE/VAULT_QUEST/APPKEY (#PCDATA) 


on key (alpha-numeric string) provided by the customer for 


the BeyondTrust PBPS web services API. 


/A 


H_VA 


UL 


ZOU 


The date/tim 
user who ma 


ESPONSE/VAULT_QUEST/LAST_MODIFIED (DATETIME, BY?) 


e when the vault was last modified and the username of the 
de the change. 


/A 


H_VA 


UL 


EOU 


UT/R 


ESPONSE/VAULT OUEST/URL (4PCDATA) 


The URL ofthe vault web services. Valid for vault types: CA Access Control, 


Lieberman ERPM, Thycotic Secret Server. 


/A 


H_VA 


UL 


OU 


UT/R 


ESPO 


SE/VAULT OUEST/SSL VERIFY (#PCDATA) 


A flagindicating whether our service will verify the SSL certificate of the 


web services 


URL to make sure the certificate is valid and trusted. Valid for 


vault types: CA Access Control, Lieberman ERPM, Thycotic Secret Server. 


/A 


H_VA 


UL 


KOU 


ESPONSE/VAULT_QUEST/DOMAIN (4PCDATA) 


The domain name if your vault server is part of a domain. Valid vault types: 
Lieberman ERPM, Thycotic Secret Server. 


/A 


let WAN 


UL 


OU 


ESPONSE/VAULT. OUEST/API USERNAME (4PCDATA) 


[he username to be used for authentication to the vault. 


/A 


H_VA 


UL 


OU 


ESPONSE/VAULT. OUEST/WEB USERNAME (#PCDATA) 


The web username to be used to access Basic authentication of the CA 
Access Control web server. Not valid for other vault t ypes. 


/A 


H_VA 


UL 


OU 


ESPONSE/VAULT. OUEST/SERVER. ADDRESS (#PCDATA) 


Ouest Vault. 


The IP address of the vault server. Valid for vault types: CyberArk PIM Suite, 


/A 


H_VA 


UL 


OU 


ESPONS 


E/VAULT_QUEST/PORT (#PCDATA) 


The port the vault server is running on. Valid for vault types: CyberArk PIM 
Suite, Quest Vault. 


/A 


H_VA 


UL 


OU 


UT/R 


ESPONSE/VAULT. OUEST/SAFE (#PCDATA) 


The name of 


valid for other vault types. 


the digital password safe for CyberArk PIM Suit vault. Not 


/A 


H_VA 


UL 


OU 


UT/R 


ESPONSE/VAULT. OUEST/APIL VERSION (#PCDATA) 


The HTTP or 


HTTPS URL to access the Vault HTTP API. Valid for the 


HashiCorp vault. 
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element specifications / notes 
T. OUEST/AUTH TYPE (#PCDATA) 


thentication types supported by vault API: userpass, cert and 
. Valid for the HashiCorp vault. 


/AU 


T_QUEST/PATH (#PCDATA) 


th for the Username/Password authentication method. Valid for the 
orp vault. 


/AU 


' OUEST/ROLE NAME (#PCDATA) 


rhe role 


associated with the CA certificate. Valid for the HashiCorp vault. 


/AU 


T. OUEST/ROLE ID (#PCDATA) 


The role 
orp vault. 


ID of the App Role you want to use for authentication. Valid for the 


/AU 


LT OUEST/SECRET ID (#PCDATA) 


The secret ID o 
the HashiCorp vault. 


Eh 


the App Role you want to use for authentication. Valid for 


/AU 


LT_QUEST/APP_ID (#PCDATA) 


The application ID associated with the vault application created in the 
Azure Key Vault. 


/AU 


LT_QUEST/(UUID|ID) (*PCDATA) 


[he vault ID and UUID if available. 
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Chapter 5 - Assets XML 


This section describes the XML output returned from Assets API reguests. 


IP List Output 


Host List Output 


Host Update Output 


Host Purge Output 


Host Update Output 


Excluded Hosts List Output 


Excluded Hosts Change History Output 


Virtual Host List Output 


IPv6 Mapping Records List Output 


vCenter - ESXi Mapping Records List Output 


Restricted IPs List Output 


Duplicate Hosts Error Output 


Asset Group List Output 


Asset Search Report 


Network List Output 


Patch List Output 


IP List Output 


API used 


Qualys API (VM, PC) XML/DTD Reference 
Chapter 5 - Assets XML 


<platform API server>/api/2.0/fo/asset/ip with action=list 


DTD for Auth Record List Output 
<platform API server>/api/2.0/fo/asset/ip/ip_list_output.dtd 


A recent DTD is shown below. 


<!-- QUALYS IP OUTPUT DTD 
LP LIST: 


<!E] 


LEMENT 


LEMENT 


ELEMENT 


REOUEST 


DATETIME 


ELEMENT 


USER LOGIN 


ELEME 


NT 


RESOURCE 


OUTPUT 


--> 


(REQUEST?, RESPONSE) > 


(DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 


POST DATA?) > 
(#PCDAT 
(#PCDATA) > 
(#PCDAT 


A)> 


A)> 
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<!ELEMENT PARA | LIST (PARAM+) > 

<!ELEMENT PARA (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 

<!ELEMENT VALUE (#PCDATA) > 

<!-- if returned, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 


<!ELEMENT RESPONSE (DATETIME, IP SET?)> 


<!ELEMENT IP SET ((IP|IP RANGE) +)> 
<!ELEMENT IP (#PCDATA) > 
<!ELEMENT IP RANGE (#PCDATA) > 
<!-- EOF --> 


XPaths for IP List Output 


XPath element specifications / notes 
Al LS OU (REOUEST?, RESPONSE) 
/P LIST OUTPUT/REOUEST (DATETIME, USER. LOGIN, RESOURCE, PARAM LIST, POST. DATA?) 


/IP LIST OUTPUT/REOUEST/DATETIME (#PCDATA) 


The date and time of the API request. 
/IP LIST OUTPUT/REOUEST/USER LOGIN (#PCDATA) 


The user login of the user who made the request. 
/IP LIST OUTPUT/REOUEST/RESOURCE — (4PCDATA) 


[he resource specified for the request. 


(IP LIST OUTPUT/REOUEST/PARAM LIST (PARAM+)) 
(IP LIST OUTPUT/RECUEST/PARAM LIST/PARAM (KEY, VALUE)) 
/IP LIST OUTPUT/RECUEST/PARAM LIST/PARAM/KEY  (#PCDATA) 


The input parameter name. 

/IP LIST OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE — (4PCDATA) 
The input parameter value. 

/IP LIST OUTPUT/REOCUEST/POST. DATA (#PCDATA) 

The POST data, if any. 

PONSE (DATETIME, IP. SET) 

/IP LIST OUTPUT/RESPONSE/DATETIME  (#PCDATA) 

The date and time of the Qualys response. 
UTPUT/RESPONSE/IP_SET ((IPIIP RANGE)+) 
UTPUT/RESPONSE/IP_SET/IP (#PCDATA) 

An IP address. 

(IP LIST OUTPUT/RESPONSE/IP SET/IP RANGE (#PCDATA) 


An IP address range. 
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<platform API server>/api/2.0/fo/asset/host/ with action=list 


DTD for Host List Output 
<platform API server>/api/2.0/fo/asset/host/dtd/list/output.dtd 


A recent DTD is shown below. 
<!-- QUALYS HOST OUTPUT DTD FOR LIST ACTION--> 
<!-- SRevision$ --> 
<!ELEMENT HOST LIST OUTPUT (REQUEST?, RESPONSE) > 
<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA? > 
<!ELEMENT DATETIME (#PCDATA) > 
<!ELEMENT USER LOGIN (t PCDATA) > 
<!ELEMENT RESOURCE (#PCDATA) > 
<!ELEMENT PARA | LIST (PARAM+) > 
<!ELEMENT PARA (KEY, VALUE) > 
<!ELEMENT KEY (#PCDATA) > 
<!ELEMENT VALUE (#PCDATA) > 
<!-- if returned, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 
<!ELEMENT RESPONSE (DATETIME, (HOST LIST|ID SET) ?, WARNING?, GLOSSARY?) > 
<!ELEMENT HOST LIST (HOST+) > 
<!ELEMENT HOST (ID, ASSET ID?, IP?, IPV6?, TRACKING METHOD?, NETWORK ID?, 
DNS?, DNS DATA?, CLOUD PROVIDER?, CLOUD SERVICE?, CLOUD RESOURCE ID?, 
EC2 INSTANCE ID?, NETBIOS?, OS?, QG HOSTID?, TAGS?, METADATA?, 
CLOUD PROVIDER TAGS?, LAST VULN SCAN DATETIME?, LAST VM SCANNED DATE?, 
LAST VM SCANNED DURATION?, 
LAST VM AUTH SCANNED DATE?, LAST VM AUTH SCANNED DURATION?, 
LAST COMPLIANCE SCAN DATETIME?, LAST SCAP SCAN DATETIME?, OWNER?, 
COMMENTS?, USER DEF?, ASSET GROUP IDS?)> 
<!ELEMENT ID (#PCDATA) > 
<!ELEMENT ASSET ID (#PCDATA) > 
<!ELEMENT IP (#PCDATA) > 
<!ELEMENT IPV6 (#PCDATA) > 
<!ELEMENT TRACKING METHOD (#PCDATA) > 
<!ELEMENT NETWORK ID (#PCDATA) > 
<!ELEMENT DNS (#PCDATA) > 
<!ELEMENT DNS DATA (HOSTNAME?, DOMAIN?, FQDN?) > 
<!ELEMENT HOSTNAME (#PCDATA) > 
<!ELEMENT DOMAIN (#PCDATA) > 
<!ELEMENT FODN (#PCDATA) > 
<!ELEMENT EC2 INSTANCE ID (#PCDATA) > 
<!ELEMENT CLOUD PROVIDER (#PCDATA) > 
<!ELEMENT CLOUD SERVICE (#PCDATA) > 
<!ELEMENT CLOUD RESOURCE ID (#PCDATA) > 
<!ELEMENT NETBIOS (#PCDATA) > 
<!ELEMENT OS (#PCDATA) > 
<!ELEMENT QG HOSTID (#PCDATA) > 
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<!ELEMENT TAGS (TAG*)> 

<!ELEMENT TAG (TAG ID?, NAME?)> 

<!ELEMENT TAG ID (#PCDATA) > 

<!ELEMENT NAME (#PCDATA) > 

<!ELEMENT LAST VULN SCAN DATETIME (#PCDATA) > 
<!ELEMENT LAST VM SCANNED DATE (#PCDATA) > 
<!ELEMENT LAST VM SCANNED DURATION (#PCDATA) > 
<!ELEMENT LAST VM AUTH SCANNED DATE (#PCDATA) > 
<!ELEMENT LAST VM AUTH SCANNED DURATION (#PCDATA) > 
<!ELEMENT LAST COMPLIANCE SCAN DATETIME (#PCDATA) > 
<!ELEMENT LAST SCAP SCAN DATETIME (#PCDATA) > 
<!ELEMENT OWNER (#PCDATA) > 

<!ELEMENT USER DEF (LABEL 1?, LABEL 2?, LABEL 3?, VALUE _1?, VALUE 2?, 
VALUE_3?)> 

<!ELEMENT LABEL 1 (#PCDATA) > 

<!ELEMENT LABEL 2 (#PCDATA) > 

<!ELEMENT LABEL 3 (#PCDATA) > 

<!ELEMENT VALUE 1 (#PCDATA) > 

<!ATTLIST VALUE 1 

ud_attr CDATA #REQUIRED> 

<!ELEMENT VALUE 2 (#PCDATA) > 

<!ATTLIST VALUE 2 

ud_attr CDATA #REQUIRED> 

<!ELEMENT VALUE 3 (#PCDATA) > 

<!ATTLIST VALUE 3 

ud_attr CDATA #REQUIRED> 

<!ELEMENT METADATA (EC2|GOOGLE|AZURE) +> 

<!ELEMENT EC2 (ATTRIBUTE*) > 

<!ELEMENT GOOGLE (ATTRIBUTE*) > 

<!ELEMENT AZURE (ATTRIBUTE*) > 

<!ELEMENT ATTRIBUTE 

(NAME, LAST STATUS, VALUE, LAST SUCCESS DATE?,LAST ERROR _DATE?, LAST ERROR?) > 
<!ELEMENT LAST STATUS (#PCDATA) > 

<!ELEMENT LAST SUCCESS DATE (#PCDATA) > 

<!ELEMENT LAST ERROR DATE (#PCDATA) > 

<!ELEMENT LAST ERROR (#PCDATA) > 

<!ELEMENT CLOUD PROVIDER TAGS (CLOUD TAG+) > 
<!ELEMENT CLOUD TAG (NAME, VALUE, LAST SUCCESS DATE)> 
<!ELEMENT ASSET GROUP IDS (#PCDATA) > 

<!ELEMENT ID SET ((ID|ID RANGE) +)> 

<!ELEMENT ID RANGE (#PCDATA) > 

<!ELEMENT WARNING (CODE?, TEXT, URL?)> 

<!ELEMENT CODE (#PCDATA) > 

<!ELEMENT TEXT (#PCDATA) > 

<!ELEMENT URL (#PCDATA) > 

<!ELEMENT GLOSSARY (USER_DEF?, USER _LIST?, ASSET GROUP_LIST?) > 
<!ELEMENT USER LIST (USER+) > 

<!ELEMENT USER (USER LOGIN, FIRST NAME, LAST NAME) > 
<!ELEMENT FIRST NAME (#PCDATA) > 

<!ELEMENT LAST NAME (#PCDATA) > 

<!ELEMENT ASSET GROUP LIST (ASSET GROUP+)> 
<!ELEMENT ASSET GROUP (ID, TITLE)> 

<!ELEMENT TITLE (#PCDATA) > 

<!-- EOF --> 
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XPaths for Host List Output 


XPath element specifications / notes 

(HOST LIST OUTPU (REOUEST? RESPONSE) 

(HOST. LIST OUTPUT/REOUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 
/HOST. LIST. OUTPUT/REOUEST/DATETIME (#PCDATA) 


The date and time of the API request. 
/HOST_LIST_OUTPUT/REQUEST/USER_LOGIN (#PCDATA) 


[he user login ID of the user who made the request. 


/HOST_LIST_OUTPUT/REQUEST/RESOURCE  (#PCDATA) 


The resource specified for the request. 
/HOST LIST OUTPUT/RECUEST/PARAM LIST (PARAM+)) 

/HOST. LIST OUTPUT/REOUEST/PARAM. LIST/PARAM (KEY, VALUE)) 
(HOST. LIST OUTPUT/REOUEST/PARAM LIST/PARAM/KEY  (#PCDATA) 


An input parameter name. 
/HOST LIST OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE - (*PCDATA) 


An input parameter value. 

/HOST LIST OUTPUT/REOUEST/POST DATA — (*PCDATA) 

he POST data, if any. 

(HOST. LIST OUTPUT/RESPON (DATETIME, (HOST. LISTJID. SET)?, WARNING?, GLOSSARY?) 


/HOST. LIST OUTPUT/RESPONSE/DATETIME  (#PCDATA) 

The date and time of the Qualys response. 
RESPONSE/HOST_LIS HOST+) 
RESPONSE/HOST_LIST/HOST 


(ID, ASSET_ID?, IP?, TRACKING_METHOD?, NETWORK_ID?, DNS?, 
DNS_DATA?, CLOUD_PROVIDER?,CLOUD_SERVICE?, 

CLOUD RESOURCE ID?, EC2 INSTANCE ID?, NETBIOS?, OS?, 

OG HOSTID?, TAGS?, METADATA?, LAST. VULN. SCAN DATETIME?, 
LAST VM. SCANNED. DATE?, LAST VM. SCANNED DURATION?, 
LAST VM AUTH. SCANNED DATE?, 
LAST VM. AUTH. SCANNED. DURATION?, 
LAST. COMPLIANCE SCAN DATETIME?, OWNER?, COMMENTS?, 
USER DEF?, ASSET GROUP IDS?, CLOUD. PROVIDER TAGS?) 


he HOST element is returned when the “details” input parameter is set to 
“basic” or “all” or if the parameter is unspecified. 
/HOST_LIST_OUTPUT/RESPONSE/HOST_LIST/HOST/ID (#PCDATA) 
The host ID. 
/HOST_LIST_OUTPUT/RESPONSE/HOST_LIST/HOST/ASSET_ID (4PCDATA) 
The asset ID of the host. 
/HOST_LIST_OUTPUT/RESPONSE/HOST_LIST/HOST/IP (#PCDATA) 
The asset's IP address. 


/HOST_LIST_OUTPUT/RESPONSE/HOST_LIST/HOST/TRACKING_METHOD (#PCDATA) 


/HOST_LIST_OUTPU 
/HOST_LIST_OUTPU 


= 


= 


The tracking method assigned to the asset: IP, DNS, NETBIOS, EC2. 
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XPath element specifications / notes 
/HOST. LIST OUTPUT/RESPONSE/HOST. LIST/HOST/NETWORK ID  (#PCDATA) 


The network ID ofthe asset, if the Networks feature is enabled. 

(HOST. LIST OUTPUT/RESPONSE/HOST LIST/HOST/DNS  (*PCDATA) 

DNS name for the asset. For an EC2 asset this is the private DNS name. 

/HOST_LIST_OUTPUT/RESPONSE/HOST_LIS DNS DATA (HOSTNAME?, DOMAIN?, FQDN?) 

/HOST_LIST_OUTPUT/RESPONSE/HOST_LIS DNS_DATA/HOSTNAME  (#PCDATA) 
The DNS hostname for the asset. 

/HOST_LIST_OUTPUT/RESPONSE/HOST_LIST/HOST/DNS_DATA/DOMAIN  (#PCDATA) 


[The domain name for the asset. 
/HOST_LIST_OUTPUT/RESPONSE/HOST_LIST/HOST/DNS_DATA/FQDN  (#PCDATA) 


The Fully Qualified Domain Name (FQDN) for the asset. 
/HOST_LIST_OUTPUT/RESPONSE/HOST_LIST/HOST/CLOUD_SERVICE — (*PCDATA) 


Cloud service of the asset. For example: (VM for Azure, EC2 for AWS). 
/HOST. LIST OUTPUT/RESPONSE/HOST LIST/HOST/CLOUD RESOURCE ID (#PCDATA) 


Cloud resource ID ofthe asset. 
/HOST. LIST. OUTPUT/RESPONSE/HOST. LIST/EC2. INSTANCE. ID (#PCDATA) 


EC2 instance ID for the asset. 
/HOST_LIST_OUTPUT/RESPONSE/HOST_LIST/NETBIOS  (#PCDATA) 
NetBIOS host name for the asset. 
/HOST_LIST_OUTPUT/RESPONSE/HOST_LIST/HOST/OS  (*PCDATA) 


Operating system detected on the asset. 
(HOST. LIST OUTPUT/RESPONSE/HOST LIST/HOST/OG HOSTID (#PCDATA) 


The Oualys host ID assigned to the asset when Agentless Tracking is used 
or when a cloud agentis installed. 


/HOST. LIST OUTPUT/RESPONSE/HOST LIST/HOST/TAGS (TAG_ID?, NAME?) 

[HOST LIST OUTPUT/RESPONSE/HOST LIST/HOST/TAGS/TAG. ID (4PCDATA) 

A tag ID associated with the asset when show tags=1 is specified. 
/HOST. LIST OUTPUT/RESPONSE/HOST LIST/HOST/TAGS/NAME — (4PCDATA) 

A tag name associated with the asset when show. tags=1 is specified. 
/HOST_LIST_OUTPUT/RESPONSE/HOST_LIST/HOST/METADATA 


(EC2|GOOGLE|AZURE)+ 


/HOST_LIST_OUTPUT/RESPONSE/HOST_LIST/HOST/METADATA/EC2 (ATTRIBUTE* 

/HOST_LIST_OUTPUT/RESPONSE/HOST_LIST/HOST/METADATA/GOOGLE (ATTRIBUTE?) 

/HOST_LIST_OUTPUT/RESPONSE/HOST_LIST/HOST/METADATA/AZURE (ATTRIBUTE") 

/HOST. LIST OUTPUT/RESPONSE/HOST. LIST/HOST/METADATA/EC2[GOOGLEJAZURE/ATTRIBUTE 
(NAMELAST. STATUS, VALUE,LAST. SUCCESS. DATE?,LAST. ERROR DATE? L 
AST. ERROR?) 

/HOST_LIST_OUTPUT/RESPONSE/HOST_LIST/HOST/METADATA/EC2|GOOGLE|AZURE/ATTRIBUTE/ 


Attribute name, fetched from instance metadata. 


/HOST_LIST_OUTPUT/RESPONSE/HOST_LIST/HOST/METADATA/EC2|GOOGLE|AZURE/ATTRIBUTE 
LAST STATUS (#PCDATA) 
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XPath element specifications / notes 
Attribute last status, fetched from instance metadata. 

/HOST. LIST. OUTPUT/RESPONSE/HOST. LIST/HOST/METADATA/EC2[GOOGLEJAZURE/ATTRIBUTE 

VALUE (#PCDATA) 

Attribute value fetched, from instance metadata 

/HOST. LIST OUTPUT/RESPONSE/HOST. LIST/HOST/METADATA/EC2[GOOGLEJAZURE/ATTRIBUTE 

LAST SUCCESS DATE (#PCDATA) 

Attribute last success date/time, fetched from instance metadata 

/HOST. LIST OUTPUT/RESPONSE/HOST. LIST/HOST/METADATA/EC2[GOOGLEJAZURE/ATTRIBUTE 

LAST ERROR DATE (#PCDATA) 

Attribute last error date/time, fetched from instance metadata. 

/HOST. LIST. OUTPUT/RESPONSE/HOST. LIST/HOST/METADATA/EC2[GOOGLEJAZURE/ATTRIBUTE 

LAST ERROR (#PCDATA) 

Attribute last error, fetched from instance metadata. 

/HOST. LIST. OUTPUT/RESPONSE/HOST. LIST/HOST/CLOUD PROVIDER. TAGS 
(CLOUD. TAG') 

/HOST. LIST. OUTPUT/RESPONSE/HOST. LIST/HOST/CLOUD. PROVIDER. TAGS/CLOUD. TAG 
(NAME, VALUE, LAST. SUCCESS. DATE) 

[HOST LIST OUTPUT/RESPONSE/HOST. LIST/HOST/CLOUD PROVIDER TAGS/CLOUD. TAG/NAME 

(#PCDATA) 

The name of the cloud tag. 

/HOST_OUTPUT/RESPONSE/HOST_LIST/HOST/CLOUD_PROVIDER_TAGS/CLOUD_TAG/VALUE (#PCDATA) 
The value of the cloud tag. 

/HOST_LIST_OUTPUT/RESPONSE/HOST_LIST/HOST/CLOUD_PROVIDER_TAGS/CLOUD_TAG/LAST_SUCCESS_ 

DATE (#PCDATA) 

Tag last success date/time, fetched from instance. 

/HOST_LIST_OUTPUT/RESPONSE/HOST_LIST/HOST/LAST_VULN_SCAN_DATETIME (#PCDATA) 

The date and time of the most recent vulnerability scan. 

/HOST. LIST. OUTPUT/RESPONSE/HOST. LIST/HOST/LAST. VM. SCANNED. DATE  (#PCDATA) 

The scan end date/time for the most recent unauthenticated vulnerability 
scan on the asset. 

(HOST. LIST OUTPUT/RESPONSE/HOST. LIST/HOST/LAST. VM. SCANNED DURATION - (4PCDATA) 

The scan duration (in seconds) for the most recent unauthenticated 
vulnerability scan on the asset. 

/HOST. LIST OUTPUT/RESPONSE/HOST LIST/HOST/LAST. VM AUTH SCANNED DATE  (#PCDATA) 
The scan end date/time for the last successful authenticated vulnerability 
scan on the asset. 

/HOST. LIST. OUTPUT/RESPONSE/HOST. LIST/HOST/LAST. VM AUTH SCANNED DURATION - (4PCDATA) 
The scan duration (in seconds) for the last successful authenticated 
vulnerability scan on the asset. 

/HOST. LIST OUTPUT/RESPONSE/HOST. LIST/HOST/LAST. COMPLIANCE SCAN DATETIME — (4PCDATA) 
The date and time of the most recent compliance scan. 

/HOST. LIST OUTPUT/RESPONSE/HOST. LIST/HOST/LAST. SCAP SCAN DATETIME — (4PCDATA) 

The date and time of the most recent SCAP scan. 
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XPath element specifications / notes 
/HOST. LIST OUTPUT/RESPONSE/HOST LIST/HOST/OWNER (#PCDATA) 


[he asset owner. 


(HOST. LIST OUTPUT/RESPONSE/HOST. LIST/HOST/COMMENTS — (*PCDATA) 


The com 


ments defined for the asset. 
(HOST LIST. OUTPUT/RESPONSE/HOST. LIST/HOST/USER. DEF 
(LABEL ? LABEL 27, LABEL 3?, VALUE. 12, VALUE. 2?, VALUE 3?) 


A set of host attributes assigned to the host. Three user-defined attributes 
are defined for the subscription. 


/HOST_LIST_OUTPUT/RESPONSE/HOST_LIST/HOST/USER_DEF/LABEL_n (#PCDATA) 
Not returned inside the <HOST> element. Returned inside <GLOSSARY>. 
/HOST_LIST_OUTPUT/RESPONSE/HOST_LIST/HOST/USER_DEF/VALUE_n (#PCDATA) 


A host attribute value. Three elements are returned, one element for each 
of the three values. The elements are: <VALUE_1>, <VALUE_2> and 
<VALUE_3>. 


/HOST_LIST_OUTPUT/RESPONSE/HOST_LIST/HOST/ASSET_GROUP_IDS (#PCDATA) 


[he asset group IDs for the asset groups which the host belongs to. 
(HOST. LIST. OUTPUT/RESPONSE/ID. SET  ((ID|ID_RANGE)+) 


The ID SET element is returned when the “details” input parameter is set to 
“none”. 


(HOST. LIST OUTPUT/RESPONSE/ID SET/ID (#PCDATA) 

A host ID. 
/HOST_LIST_OUTPUT/RESPONSE/ID_SET/ID_RANGE  (#PCDATA) 
A host ID range. 
/HOST_LIST_OUTPUT/RESPONSE/WARNING  (CODE?, TEXT, URL?) 
/HOST LIST OUTPUT/RESPONSE/WARNING/CODE — (4PCDATA) 


The warning code. This code appears when the API request identifies more 
than 1,000 records (hosts) or the custom truncation limit. 


/HOST_LIST_OUTPUT/RESPONSE/WARNING/TEXT  (*PCDATA) 


The warning message text. This message appears when the API request 
identifies more than 1,000 records (hosts) or the custom truncation limit. 


/HOST_LIST_OUTPUT/RESPONSE/WARNING/URL  (*PCDATA) 
The URL for making another request for the next batch of host records. 
EGLO SS Anam (USERS DER Gal Shelli olicae ASE (ERE IST) 
E/GLOSSARY/USER_DEF (#PCDATA) 

(LABEL_1?, LABEL_2?, LABEL_3?, VALUE_1?, VALUE_2?, VALUE_3?) 


A set of host attributes assigned to the host. Three user-defined attributes 
are defined for the subscription. 


/HOST_LIST_OUTPUT/RESPONSE/GLOSSARY/USER_DEF/LABEL_n (#PCDATA) 


A host attribute label, as defined for the subscription. When the default 
labels are used the elements are: <LABEL_1>Location, <LABEL_2>Function 
and <LABEL_3>Asset Tag. The labels may be customized within Qualys. 


/HOST_LIST_OUTPUT/RESPONSE/GLOSSARY/USER_DEF/VALUE_n (#PCDATA) 
Not returned inside the <GLOSSARY> element. Returned inside <HOST>. 
/HOST_LIST_OUTPUT/RESPONSE/GLOSSARY/USER_LIST (USER+) 


/HOST_LIST_OUTPUT/RESPON 
/HOST_LIST_OUTPUT/RESPON 


un 


un 
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A list of users who are asset owners for the hosts in the host list output. 
/HOST. LIST OUTPUT/RESPONSE/GLOSSARY/USER. LIST/USER (USER LOGIN, FIRST. NAME, LAST. NAME) 

A user who is an asset owner for a host in the host list output. 

/HOST. LIST OUTPUT/RESPONSE/GLOSSARY/USER LIST/USER LOGIN (#PCDATA) 

A user login ID. 
/HOST_LIST_OUTPUT/RESPONSE/GLOSSARY/USER_LIST/USER/FIRST_NAME (#PCDATA) 

A user's first name. 
/HOST_LIST_OUTPUT/RESPONSE/GLOSSARY/USER_LIST/LAST_NAME 

A user's last name. 
/HOST_LIST_OUTPUT/RESPONSE/GLOSSARY/ASSET_GROUP_LIST (ASSET_GROUP+) 

A list of asset groups which hosts in the host list output belong to. 
/HOST_LIST_OUTPUT/RESPONSE/GLOSSARY/ASSET_GROUP_LIST/ASSET_GROUP (ID, TITLE) 
/HOST_LIST_OUTPUT/RESPONSE/GLOSSARY/ASSET_GROUP_LIST/ASSET_GROUP/ID 

An asset group ID. 
/HOST_LIST_OUTPUT/RESPONSE/GLOSSARY/ASSET_GROUP_LIST/ASSET_GROUP/TITLE 


An asset group title. 
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Host Update Output 


API used 
<platform API server>/api/2.0/fo/asset/host/ with action=update 


DTD for Host Update Output 
<platform API server>/api/2.0/fo/asset/host/dtd/update/output.dtd 


A recent DTD is shown below. 


<!-- QUALYS HOST OUTPUT DTD FOR UPDATE ACTION--> 
<!-- SRevision$ --> 
<!ELEMENT HOST UPDATE OUTPUT (REQUEST?, RESPONSE) > 


<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 

<!ELEMENT DATETIME (#PCDATA) > 

<!ELEMENT USER LOGIN (#PCDATA) > 

<!EL NT RESOURCE (#PCDATA) > 

<!ELEMENT PARAM LIST (PARAM+) > 


<!ELEMENT PARAM (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 

<!ELEMENT VALUE (#PCDATA) > 

<!-- If specified, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 

<!ELEMENT RESPONSE (DATETIME, CODE?, TEXT, ITEM LIST?)> 


<!ELEMENT CODE (#PCDATA) > 
<!ELEMENT TEXT (#PCDATA) > 
<!ELEMENT ITEM LIST (ITEM+) > 


<!ELEMENT ITEM (KEY, VALUE*)> 
<!-- EOF --> 


XPaths for Host Update Output 


XPath element specifications / notes 
DATE OUTPU (REOUEST?,RESPONSE) 


O 
UPDATE OUTPUT/REOUE (DATETIME, USER. LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 


= 
O 
un 
(= 
“el 


(a) 
n 
E 
El 


OST_UPDATE_OUTPUT/REQUEST/DATETIME — (4PCDATA) 


he date and time of the API request. 
/HOST_UPDATE_OUTPUT/REQUEST/USER_LOGIN  (*PCDATA) 


[he user login ID of the user who made the request. 


/HOST_UPDATE_OUTPUT/REQUEST/RESOURCE — (*PCDATA) 


he resource specified for the request. 

OUTPUT/REQUEST/PARAM_LIST  (PARAM+)) 

DATE OUTPUT/REOUEST/PARAM LIST/PARAM (KEY, VALUE)) 
OUTPUT/REOUEST/PARAM LIST/PARAM/KEY  (*PCDATA) 


An input parameter name. 


= 
© 
WN 
E 
HU 
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XPath element specifications / notes 
(HOST. UPDATE OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE — (4PCDATA) 
An input parameter value. 
(HOST UPDATE OUTPUT/REOUEST/POST DATA (#PCDATA) 
The POST data, if any. 
(HOST UPDATE OUTPUT/RESP (DATETIME, CODE?, TEXT, ITEM LIST?) 
ONSE 
(HOST UPDATE OUTPUT/RESPONSE/DATETIME (4PCDATA) 
The date and time of the Oualys response. 
/HOST UPDATE OUTPUT/RESPONSE/CODE  (#PCDATA) 
The response error code. 
(HOST UPDATE OUTPUT/RESPONSE/TEXT (4PCDATA) 
The response error text. 
(HOST. UPDATE OUTPUT/RESPONSE/ITEM LIST (ITEM+) 
(HOST. UPDATE OUTPUT/RESPONSE/ITEM LIST/ITEM (KEY, VALUE +) 
(HOST. UPDATE OUTPUT/RESPONSE/ITEM LIST/TEM/KEY (#PCDATA) 
The response item keyword. 
(HOST. UPDATE OUTPUT/RESPONSE/ITEM LIST/TEM/VALUE (#PCDATA) 


The response item value. 
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Host Purge Output 


API used 


Gualys API (VM, PC) XML/DTD Reference 


<platform API server>/api/2.0/fo/asset/host/ with action=purge 


DTD for Host Purge Output 
<platform API server>/api/2.0/fo/asset/host/dtd/purge/output.dtd 


A recent DTD is shown below. 
<!-- QUALYS HOST OUTPUT DTD FOR PURGE ACTION--> 
<!-- SRevision$ --> 
<!ELEMENT BATCH RETURN (REQUEST?, RESPONSE) > 
<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE 
POST DATA? > 
<!EL ENT DATETIME (#PCDATA) > 
<!E ENT USER LOGIN (t PCDATA) > 
<!ELEMENT RESOURCE (#PCDATA) > 
<!EL ENT PARAM LIST (PARAM+) > 
<!ELEMENT PARA (KEY, VALUE) > 
<!ELEMENT KEY (#PCDATA) > 
<!ELEMENT VALUE (#PCDATA) > 
<!-- If specified, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 
<!ELEMENT RESPONS (DATETIME, BATCH LIST?) > 
<!EL ENT BATCH LIST (BATCH+) > 
<!EL ENT BATCH (CODE?, TEXT?, ID SET?)> 
<!ELEMENT COD (#PCDATA) > 
<!EL ENT TEXT (#PCDATA) > 
<!EL ENT ID SET (IDIID RANGE) +> 
<!EL ENT ID RANGE (#PCDATA) > 
<!ELEMENT ID (#PCDATA)> 
<!-- EOF --> 


XPaths for Host Update Output 


, 


Chapter 5 - Assets XML 


PARAM LIST?, 


XPath element specifications / notes 

BATCH RETURN (REOUEST?,RESPONSE) 

/BATCH_RETURN/REQUEST (DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA?) 
/BATCH_RETURN/REQUEST/DATETIME  (#PCDATA) 

The date and time of the API request. 
/BATCH_RETURN/REQUEST/USER_LOGIN (#PCDATA) 

The user login ID of the user who made the request. 
/BATCH_RETURN/REQUEST/RESOURCE  (#PCDATA) 

The resource specified for the request. 
/BATCH_RETURN/REQUEST/PARAM_LIST (PARAM+)) 
/BATCH_RETURN/REQUEST/PARAM_LIST/PARAM (KEY, VALUE)) 

/BATCH RETURN/REOUEST/PARAM LIST/PARAM/KEY  (#PCDATA) 
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An input parameter name. 

/BATCH RETURN/REOUEST/PARAM LIST/PARAM/VALUE — (4PCDATA) 

An input parameter value. 

/BATCH RETURN/REOUEST/POST. DATA (#PCDATA) 

The POST data, if any. 
/BATCH_RETURN/RESPONSE (DATETIME, BATCH LIST) 
/BATCH_RETURN/RESPONSE/DATETIME (#PCDATA) 

The date and time of the response. 
/BATCH_RETURN/RESPONSE/BATCH_LIST (BATCH+) 
/BATCH_RETURN/RESPONSE/BATCH_LIST/BATC (CODE IE RATAS EI) 
/BATCH RETURN/RESPONSE/BATCH LIST/BATCH/CODE (#PCDATA) 

A batch code. 
/BATCH_RETURN/RESPONSE/BATCH_LIST/BATCH/TEX (#PCDATA) 

A batch text description. 

/BATCH RETURN/RESPONSE/BATCH LIST/BATCH/ID SET  (ID|ID_RANGE) 
/BATCH_RETURN/RESPONSE/BATCH_LIST/BATCH/ID_SET/ID (#PCDATA) 

A batch ID number. 

/BATCH RETURN/RESPONSE/BATCH LIST/BATCH/ID SET/ID RANGE (4PCDATA) 


A batch ID range. 
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Host List VM Detection Output 
API used 


<platform API server>/api/2.0/fo/asset/host/vm/detection with action=list 


DTD for Host List VM Detection Output 
<platform API server>/api/2.0/fo/asset/host/vm/detection/dtd/output.dtd 


A recent DTD is shown below. 


<!-- QUALYS HOST LIST VM DETECTION OUTPUT DTD ==> 
<!-- SRevision$ --> 
<!ELEMENT HOST LIST VM DETECTION OUTPUT (REQUEST?, RESPONSE) > 


<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 

POST DATA?) > 

<!ELEMENT DATETIME (#PCDATA) > 

<!ELEMENT USER LOGIN (#PCDATA) > 

<!ELEMENT RESOURCE (#PCDATA) > 

<!ELEMENT PARAM LIST (PARAM+) > 

<!ELEMENT PARAM (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 
M 
i 


<!ELEMENT VALUE (#PCDATA) > 
<!-- if returned, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 


<!ELEMENT RESPONSE (DATETIME, HOST LIST?, WARNING?) > 

<!ELEMENT HOST LIST (HOST+) > 

<!ELEMENT HOST (ID, ASSET ID?, IP?, IPV6?, TRACKING METHOD?, NETWORK ID?, 

OS?, OS CPE?, DNS?, DNS DATA?, CLOUD PROVIDER?, CLOUD SERVICE?, 

CLOUD RESOURCE ID?, EC2 INSTANCE ID?, NETBIOS?, QG HOSTID?, 

LAST SCAN DATETIME?, LAST VM SCANNED DATE?, LAST VM SCANNED DURATION?, 

LAST VM AUTH SCANNED DATE?, LAST VM AUTH SCANNED DURATION?, 

LAST PC SCANNED DATE?, TAGS?, METADATA?, CLOUD PROVIDER TAGS?, 

DETECTION LIST) > 

<!ELEMENT ID (#PCDATA) > 

IP (#PCDATA) > 

IPV6 (#PCDATA) > 
TRACKING METHOD (#PCDATA) > 

T NETWORK ID (#PCDATA) > 
O 
O 
D 
D 


T 


m 


<!ELEME 
<!ELEME 
<!ELEME 
<!ELEME 
<!ELEME 
<!ELEME 
<!ELEME 
<!ELE 
<!ELE 
<!ELE 
<!ELE 
<!ELE 
<!ELE 
<!ELE 
<!ELEME 
<!ELEME 


m 


m 


S (#PCDATA) > 

S CPE (#PCDATA) > 
NS PCDATA) > 
NS DATA (HOSTNAME?, DOMAIN?, FODN?) > 
T HOSTNAME (#PCDATA) > 

T DOMAIN (#PCDATA) > 

T FODN (#PCDATA) > 

T CLOUD PROVIDER (#PCDATA) > 

,OUD_SERVICE (#PCDATA) > 
,OUD_RESOURCE ID (#PCDATA) > 

C2 INSTANCE ID (#PCDATA) > 

T NETBIOS (#PCDATA) > 


SSS 5555 
2 72 2 2 2 2 2 2 2 2 2 2 2 2 22 


HAA 


T 
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<!ELEMENT OG HOSTID (#PCDATA) > 

<!ELEMENT LAST SCAN DATETIME (#PCDATA) > 

<!ELEMENT LAST VM SCANNED DATE (#PCDATA) > 

<!ELEMENT LAST VM SCANNED DURATION (#PCDATA) > 

<!ELEMENT LAST VM AUTH SCANNED DATE (#PCDATA)> 

<!ELEMENT LAST VM AUTH SCANNED DURATION (#PCDATA) > 

<!ELEMENT LAST PC SCANNED DATE (#PCDATA) > 

<!ELEMENT TAGS (TAG+)> 

<!ELEMENT TAG (TAG ID?, NAME, COLOR?, BACKGROUND COLOR?) > 

<!ELEMENT TAG ID (#PCDATA) > 

<!ELEMENT NAME (#PCDATA) > 

<!ELEMENT COLOR (#PCDATA) > 

<!ELEMENT BACKGROUND COLOR (#PCDATA) > 

<!ELEMENT METADATA (EC2|GOOGLE|AZURE) +> 

<!ELEMENT EC2 (ATTRIBUTE*) > 

<!ELEMENT GOOGLE (ATTRIBUTE*) > 

<!ELEMENT AZURE (ATTRIBUTE*) > 

<!ELEMENT ATTRIBUTE 

(NAME, LAST STATUS, VALUE, LAST SUCCESS DATE?,LAST ERROR DATE?,LAST ERROR?) > 

<!ELEMENT LAST STATUS (#PCDATA) > 

<!ELEMENT LAST SUCCESS DATE (#PCDATA) > 

<!ELEMENT LAST ERROR DATE (#PCDATA) > 

<!ELEMENT LAST ERROR (#PCDATA) > 

<!ELEMENT DETECTION LIST (DETECTION+) > 

<!ELEMENT DETECTION (QID, TYPE, SEVERITY?, PORT?, PROTOCOL?, FODN?, SSL?, 
INSTANCE?, 
RESULTS?, STATUS?, 
FIRST FOUND DATETIME?, LAST FOUND DATETIME?, 
TIMES FOUND?, 
AST TEST DATETIME?, 
LAST UPDATE DATETIME?, 
LAST FIXED DATETIME?, 
FIRST REOPENED DATETIME?, LAST REOPENED DATETIME?, 
TIMES REOPENED?, 
SERVICE?, IS IGNORED?, IS DISABLED?, 
AFFECT RUNNING KERNEL?, AFFECT RUNNING SERVICE?, 
AFFECT EXPLOITABLE CONFIG?, 
LAST PROCESSED DATETIME?) > 

<!ELEMENT QID (#PCDATA) > 

<!ELEMENT TYPE (#PCDATA) > 

<!ELEMENT PORT (#PCDATA) > 

<!ELEMENT PROTOCOL (#PCDATA) > 

<!ELEMENT FODN (#PCDATA) > 

<!ELEMENT SSL (#PCDATA) > 

<!ELEMENT INSTANCE (#PCDATA)> 

<!ELEMENT RESULTS (#PCDATA) > 

<!ELEMENT STATUS (#PCDATA) > 

<!ELEMENT SEVERITY (#PCDATA)> 

<!ELEMENT FIRST FOUND DATETIME (#PCDATA) > 

<!ELEMENT LAST FOUND DATETIME (#PCDATA) > 

<!ELEMENT TIMES FOUND (#PCDATA) > 

<!ELEMENT LAST TEST DATETIME (#PCDATA) > 

<!ELEMENT LAST UPDATE DATETIME (#PCDATA) > 

<!ELEMENT LAST FIXED DATETIME (#PCDATA) > 
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<!ELEMENT FIRST REOPENED DATETIME (#PCDATA) > 
<!ELEMENT LAST REOPENED DATETIME (#PCDATA) > 
<!ELEMENT TIMES REOPENED (#PCDATA) > 

<!ELEMENT SERVICE (#PCDATA) > 

<!ELEMENT IS IGNORED (#PCDATA) > 

<!ELEMENT IS DISABLED (#PCDATA) > 

<!ELEMENT AFFECT RUNNING KERNEL (#PCDATA) > 
<!ELEMENT AFFECT RUNNING SERVICE (#PCDATA) > 
<!ELEMENT AFFECT EXPLOITABLE CONFIG (#PCDATA) > 


<!ELEMENT LAST PROCESSED DATETIME (#PCDATA) > 
<!ELEMENT WARNING (CODE?, TEXT, URL?)> 
<!ELEMENT CODE (#PCDATA) 
<!ELEMENT TEXT (#PCDATA) 
<!ELEMENT URL (#PCDATA) > 
<!-- EOF --> 


V 


V 


XPaths for Host List VM Detection Output 


XPath element specifications / notes 
/HOST. LIST. VM. DETECTION. OUTPUT 

(REOUEST? RESPONSE) 
[HOST LIST VM DETECTION OUTPUT/REOUEST 


(DATETIME, USER. LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 
/HOST LIST VM DETECTION OUTPUT/REOUEST/DATETIME — (4PCDATA) 
The date and time of the API request. 
/HOST LIST VM DETECTION OUTPUT/REOUEST/USER LOGIN (#PCDATA) 
The user login ID of the user who made the request. 
PUT/REQUEST/RESOURCE  (#PCDATA) 
The resource specified for the request. 
/HOST_LIST_VM_DETECTION_OUTPUT/REQUEST/PARAM_LIST (PARAM+)) 
/HOST_LIST_VM_DETECTION_OUTPUT/REQUEST/PARAM_LIST/PARAM (KEY, VALUE)) 
12 
n 


/HOST_LIST_VM_D 


mi 
ti 
© 
Z 
O 
E 


/HOST_LIST_VM_D UT/REQUEST/PARAM_LIST/PARAM/KEY  (*PCDATA) 


input parameter name. 


m 
mi 
O 
Z 
O 
(=> 


/HOST_LIST_VM_D UT/REQUEST/PARAM_LIST/PARAM/VALUE — (*PCDATA) 
input parameter value. 

PUT/REQUEST/POST_DATA (#PCDATA) 
The POST data, if any. 
ION_OUTPUT/RESPONSE 
(DATETIME, HOST_LIST?, WARNING?) 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/DATETIME (#PCDATA) 


The date and time of the Qualys response. 


TT) 
m | 
© 
Z 
O 
(ee 
> Ki 


/HOST. LIST VM.D 


i 
m 
ay 
O 
Z 
O 
E 


/HOST_LIST_VM_D 


mi 
m 
ay 
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XPath element specifications / notes 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST (HOST+ 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST 
(ID, ASSET_ID?, IP?, IPV6?, TRACKING_METHOD?, NETWORK ID?, OS?, 
OS_CPE?, DNS?, DNS_DATA?, CLOUD_PROVIDER?, CLOUD_SERVICE?, 
CLOUD_RESOURCE_ID?, EC2_INSTANCE_ID?, NETBIOS?, QG_HOSTID?, 
LAST_SCAN_DATETIME?, LAST_VM_SCANNED_DATE?, 
LAST_VM_SCANNED_DURATION?, LAST_VM_AUTH_SCANNED_DATE?, 
LAST_VM_AUTH_SCANNED_DURATION?, LAST_PC_SCANNED_DATE?, 
TAGS?, METADATA?, CLOUD_PROVIDER_TAGS?, DETECTION_LIST) 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/ID (4PCDATA) 
Host ID for the asset. 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/ASSET_ID (4PCDATA) 
Asset ID of the host. 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/IP (#PCDATA) 
IPv4 address for the asset. 
/HOST LIST VM DETECTION OUTPUT/RESPONSE/HOST LIST/HOST/IPV6 (#PCDATA) 
IPv6 address for the asset. This appears only if the IPv6 feature is enabled 
for the subscription. 
/HOST. LIST VM DETECTION OUTPUT/RESPONSE/HOST LIST/HOST/TRACKING METHOD  (#PCDATA) 
The tracking method assigned to the asset: IP, DNS, NETBIOS, EC2. 
(HOST LIST VM DETECTION OUTPUT/RESPONSE/HOST. LIST/HOST/OS  (*PCDATA) 
The operating system detected on the asset. 
/HOST LIST VM DETECTION OUTPUT/RESPONSE/HOST. LIST/HOST/OS CPE (#PCDATA) 
The OS CPE name assigned to the operating system detected on the asset. 
The OS CPE name appears only when the OS CPE feature is enabled for the 
subscription, and an authenticated scan was run on this host after enabling 
this feature.) 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/DNS (#PCDATA) 
DNS name for the asset. For an EC2 asset this is the private DNS name. 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/DNS_DATA 
HOSTNAME?, DOMAIN?, FQDN?) 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/DNS_DATA/HOSTNAME — (#PCDATA) 
The DNS hostname for the asset 
/HOST. LIST. VM. DETECTION. OUTPUT/RESPONSE/HOST. LIST/HOST/DNS. DATA/DOMAIN  (#PCDATA) 
The domain name forthe asset 
/HOST. LIST VM DETECTION OUTPUT/RESPONSE/HOST LIST/HOST/DNS DATA/FODN — (*PCDATA) 
The Fully Oualified Domain Name (FODN) for the asset. 
(HOST LIST VM DETECTION OUTPUT/RESPONSE/HOST. LIST/HOST/CLOUD PROVIDER — (*PCDATA) 
Cloud provider of the asset. These will be populated for all cloud assets 
(Azure, EC2, Google). 
(HOST LIST VM DETECTION OUTPUT/RESPONSE/HOST. LIST/HOST/CLOUD SERVICE (#PCDATA) 
Cloud service of the asset. For example: (VM for Azure, EC2 for AWS). 
(HOST LIST VM DETECTION OUTPUT/RESPONSE/HOST. LIST/HOST/CLOUD RESOURCE ID (#PCDATA) 


A 


oud resource ID of the asset. 
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XPath element specifications / notes 
/HOST. LIST. VM. DETECTION. OUTPUT/RESPONSE/HOST. LIST/HOST/EC2 INSTANGE ID  (#PCDATA) 
EC2 instance ID forthe asset. 
/HOST LIST VM DETECTION OUTPUT/RESPONSE/HOST. LIST/NETBIOS (#PCDATA) 
NetBIOS name for the asset. 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/QG_HOSTID (#PCDATA) 


The Qualys host ID assigned to the asset when Agentless Tracking is used 
or when a cloud agent is installed. 


/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/LAST_SCAN_DATETIME (#PCDATA) 
The date and time of the most recent vulnerability scan of the asset. 


_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/ 
LAST. VM SCANNED DATE (#PCDATA 


The scan end date/time for the most recent unauthenticated vulnerability 


scan of the asset. 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/ 


LAST_VM_SCANNED_DURATION (#PCDATA) 


The scan duration (in seconds) for the most recent unauthenticated 
vulnerability scan of the asset. 


/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/ 
LAST_VM_AUTH_SCANNED_DATE (#PCDATA) 


The scan end date/time for the last successful authenticated vulnerability 
scan of the asset. 


/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/ 
LAST VM AUTH SCANNED DURATION - (4PCDATA) 


The scan duration (in seconds) for the last successful authenticated 
vulnerability scan of the asset. 


/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOS 
DATE (#PCDATA) 


ra 


~ 


The scan end date/time for the most recent compliance scan on the asset. 
/HOST_LIST_VM_DETE N_OUTPUT/RESPONSE/HOST_LIST/HOST/TAGS (TAG+) 
/HOST_LIST_VM PUT/RESPONSE/HOST_LIST/HOST/TAGS/TAG 


T/RESPONSE/HOST_LIST/HOST/TAGS/TAG/TAG_ID (#PCDATA) 


The ID of a tag associated with the asset when show_tags=1 is specified. 
/RESPONSE/HOST_LIST/HOST/TAGS/TAG/NAME (#PCDATA) 
The name of a tag associated with the asset when show_tags=1 is specified. 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/TAGS/TAG/COLOR (#PCDATA) 
olor of a tag associated with the asset when show_tags=1 is specified. 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/TAGS/TAG/ 


BACKGROUND COLOR (#PCDATA) 


The background color of a tag associated with the asset when show tags=1 
is specified. 
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XPath element specifications / notes 
(HOST. LIST VM DETECTION. OUTPUT/RESPONSE/HOST. LIST/HOST/METADATA 
(EC2|GOOGLE|AZURE)+ 


(SHE TEISAL 


E ECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/METADATA/ 
C2|GOOGLE|AZURE (ATTRIBUTE*) 


OST. LIST VM. DETECTION. OUTPUT/RESPONSE/HOST. LIST/HOST/METADATA/ 
C2|GOOGLE|AZURE/ATTRIBUTE 


AO 
m M 


z 
mi 


/ 
E 
/ 
E 


NAME, LAST. STATUS, VALUE, LAST. SUCCESS. DATE?, 
LAST. ERROR. DATE?, LAST. ERROR?) 


ECTION. OUTPUT/RESPONSE/HOST. LIST/HOST/METADATA/ 


62 GOOGLEJA URE/ATTRIBUTE/NAME (#PCDATA 
Attribute name, fetched from instance metadata. 
ECTION. OUTPUT/RESPONSE/HOST. LIST/HOST/METADATA/ 


@2 GOOGLEJA URE/ATTRIBUTE/LAST. STATUS (4PCDAT ) 
Attribute last status, fetched from instance metadata. 
ECTION. OUTPUT/RESPONSE/HOST. LIST/HOST/METADATA/ 


C2|GOOGLEJAZURE/ATTRIBUTE/VALUE (#PCDATA) 
Attribute value, fetched from instance metadata. 


ECTION. OUTPUT/RESPONSE/HOST. LIST/HOST/METADATA/ 
/ATTRIBUTE/LAST. SUCCESS DATE (#PCDATA) 


Attribute last success date/time, fetched from instance metadata. 


VM. DETECTION. OUTPUT/RESPONSE/HOST. LIST/HOST/METADATA/ 
E/ATTRIBUTE/LAST. ERROR DATE (#PCDATA 


Attribute last error date/time, fetched from instance metadata. 


ISE ETECTION. OUTPUT/RESPONSE/HOST. LIST/HOST/METADATA/ 
C2[GOOGLEJAZURE/ATTRIBUTE/LAST ERROR (4PCDATA) 


Attribute last error, fetched from instance metadata. 
(HOST LIST. VM. DETE ON. OUTPUT/RESPONSE/HOST. LIST/HOST/CLOUD PROVIDER. TAGS 
( 
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ECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/CLOUD_PROVIDER_TAGS/CLOUD_TAG 


DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/CLOUD_PROVIDER_TAGS/CLOUD_TAG 


The name of the cloud tag. 


/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/CLOUD_PROVIDER_TAGS/CLOUD_TAG 
/VALUE (#PCDATA 


The value of the cloud tag. 
CTION_OUTPUT/RESPONSE/HOST_LIST/HOST/CLOUD_PROVIDER_TAGS/CLOUD_TAG 


OST_LIST_VM_DE 


LAST. SUCCESS. DATE (*PCDATA) 


SST 


Tag last success date/time, fetched from instance. 
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Chapter 5 - Assets XML 


VM DETEC 


ION. OU 


PUT/RESPONSE/ 


OSI TEIS 


/HOST/DETEC 


ION_LIS 


(DETECTION+) 


VM DETEC 


ION OU 
(QID, TYPE, SEVERITY?, PORT?, PROT 


PUT/RESPONSE/HOS 


AS OSI DEE, 


ION_LIS 
FOCOL?, FODN?, SSL?, INSTANCE?, 


RESULTS?, STATUS?, FIRST. FOUND DATETIME?, 
LAST. FOUND. DATETIME?, TIMES. FOUND?, 


EASI IDNs 


IS IGNORED?, IS D 


AFFECT. RUNNING SERVICE?, AFFECT. 
LAST. PROCESSED. DATETIME?) 


IME?, LAST UPDATE. 
LAST. FIXED. DATETIME?, FIRST. REOPEN 
LAST REOPENED DATET 


DATETIME?, 
ED. DATETIME?, 

ME?, TIMES REOPENED?, SERVICE?, 
SABLED?, AFFECT. RUNNING. KERNEL?, 
EXPLOITABLE CONFIG?, 


/DETECTION 


/HOS 
DETECTION/OID 


EC 
(#PCDATA) 


LIST VM] 


ION OUTPUT/RESPONSE/ 


OS 


ISAL SAD ESE 


ION LIS 


The QID for the vulnerability in the detection record. 


PS 


/HOS 
DETECTION/TYPE 


LIST_VM_DETEC 


TON. OUTPUT/RESPONSE/ 
#PCDATA) 


OS 


The type of vu 


information gathered. 


nerability 
vulnerability, Potential for a potential vu 


AMS OS DETES 


in the detection record 


nerabi 


ION_LIS 


: Confi 


SS 


rmed for a confirmed 


lity, and Info for an 


record. 


/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/DETECTION_LIST/ 
DETECTION/SEVERITY (#PCDATA) 

The severity of the vulnerability. 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/DETECTION_LIST/ 
DETECTION/PORT (#PCDATA) 

The port number that the vulnerability was detected on 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/DETECTION_LIST/ 
DETECTION/PROTOCOL (#PCDATA 

The protocol the vulnerability was detected on. 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/DETECTION_LIST/ 
DETECTION/FQDN  (#PCDATA) 

The Fully Qualified Domain Name (FQDN) of the host 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/DETECTION_LIST/ 
DETECTION/SSL (#PCDATA) 

The value 1 is returned if the vulnerability was detected over SSL. The value 

0 is returned if the vulnerability was not detected over SSL. This element is 

not returned for information gathered. 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/DETECTION_LIST/ 
DETECTION/INSTANCE (#PCDATA) 

The Oracle DB instance the vulnerability was detected on. 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/DETECTION_LIST/ 
DETECTION/RESULTS (#PCDATA) 

The scan test results, if any, returned by the service for the detection 


/HOST. LIST VMI 
DETECTION/STATUS 


DETECTION_OUTPUT/RESPONSE/HOS 
(#PCDATA) 


The current vulnerabili 


_LIST/HOST/DETECTIO 


IST) 


ty status of the vulnerability in the detection record. 
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XPath element specifications / notes 
(HOST. LIST VM DETECTION OUTPUT/RESPONSE/HOST. LIST/HOST/DETECTION LIST/ 
DETECTION/FIRST. FOUND DATETIME (#PCDATA) 

The date/time when the vulnerability was first found 
/HOST. LIST VM DETECTION OUTPUT/RESPONSE/HOST. LIST/HOST/DETECTION. LIST/ 
DETECTION/LAST. FOUND DATETIME  (#PCDATA) 

The most recent date/time when the vulnerability was found. 

/HOST. LIST VM DETECTION OUTPUT/RESPONSE/HOST. LIST/HOST/DETECTION LIST/ 
DETECTION/TIMES FOUND (#PCDATA 

The number of times the vulnerability was detected on the host. 
/HOST. LIST. VM. DETECTION. OUTPUT/RESPONSE/HOST. LIST/HOST/DETECTION. LIST/ 

DETECTION/LAST TEST. DATETIME (4PCDATA) 

The most recent date/time when the vulnerability was tested. 

/HOST. LIST VM DETECTION OUTPUT/RESPONSE/HOST. LIST/HOST/DETECTION LIST/ 
DETECTION/LAST. UPDATE DATETIME (#PCDATA) 

The most recent date/time when the detection record was updated. 
/HOST. LIST VM DETECTION OUTPUT/RESPONSE/HOST. LIST/HOST/DETECTION. LIST/ 
DETECTION/LAST. FIXED DATETIME (#PCDATA) 

The date/time when the vulnerability was verified fixed by a scan. 
/HOST. LIST VM DETECTION. OUTPUT/RESPONSE/HOST. LIST/HOST/DETECTION LIST/ 
DETECTION/FIRST. REOPENED DATETIME (#PCDATA 

The date/time when the vulnerability was reopened by a scan. 

/HOST. LIST VM DETECTION OUTPUT/RESPONSE/HOST. LIST/HOST/DETECTION LIST/ 
DETECTION/LAST. REOPENED. DATETIME (#PCDATA 

The date/time when the vulnerability was last reopened by a scan. 
/HOST. LIST VM DETECTION OUTPUT/RESPONSE/HOST. LIST/HOST/DETECTION LIST/ 
DETECTION/TIMES_REOPENED (#PCDATA) 

The number of times the vulnerability was reopened by a scan. 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/DETECTION_LIST/ 
DETECTION/SERVICE (#PCDATA) 

The service the vulnerability was detected on, if applicable. 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/DETECTION_LIST/ 
DETECTION/IS IGNORED  (#PCDATA) 

A flagindicating whether the vulnerability is ignored for the particular 

host. A value of 1 means it is ignored, a value of 0 means it is not ignored. 
/HOST. LIST VM DETECTION OUTPUT/RESPONSE/HOST. LIST/HOST/DETECTION. LIST/ 
DETECTION/IS_DISABLED (#PCDATA 

A flag indicating whether the vulnerability is globally disabled for all hosts. 

A value of 1 means it is disabled, a value of 0 means it is not disabled. 
/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/HOST_LIST/HOST/DETECTION_LIST/ 
DETECTION/AFFECT_RUNNING_KERNEL (#PCDATA) 

A flag identifying vulnerabilities found on running or non-running Linux 


kernels. A value of 1 


indicates that the QID is exploitable because it was 


found on a running kernel. A value of 0 indicates that it is not exploitable 
because it was found on a non-running kernel. This element is returned 
only if the API request includes the parameter arf_kernel_filter set to 0, 1, 2, 


3 or 4 or active_kern 


els_only set to 0, 1, 2 or 3. 
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element specifications / notes 


/HOST. LIST VM DETECTION OUTPUT/RESPONSE/HOST. LIST/HOST/DETECTION LIST/ 


DETECTION/AFFECT. RUNNING. SERVICE (#PCDATA) 


A flag identifying vulnerabilities found on running or non-running services. 
A value of 1 indicates that the QID is not exploitable because it was found 
on non-running port/service. A value of 0 indicates that it is exploitable 
because it was found on a running port/service. This element is returned 


only if the API requ 
2,3 or 4. 


es 


t includes the parameter arf_service_filter set to 0, 1, 


/HOST_LIST_VM_DETECTION_OUTPUT/RESPONSE/H 


OST_LIST/HOST/DET 


DETECTION/AFFECT_EXPLOITABLE_CONFIG (#PCDAT 


TA 


ECTION_LIST/ 


A flag identifying vulnerabilities that may or may not be exploitable due to 


the current host co 


nfi 


guration. A value o 


f 1 indicates that the QID is not 


exploitable due to the current host configuration. A value of 0 indicates 


that it is exploitable due to the current h 
request includes 


returned only if 
to 0, 1, 2, 3 or 4. 


the A 


D 


ost configuration. This element is 
the parameter arf config filter set 


UT/R 
ETIME (#PC 


e date/time 


ION OU 
ESSED. DA 


SS 


ESPONSE/HOS 
DATA) 


when th 


e 


_LIST/HOST/DET 


ECTION_LIST/ 


detection was last processed. 


12 
T 
Th 
PUT/R 


ESPONSE/WARN 


NG (CODE?, TEXT, URL?) 


ESPONS 


ning c 
00 host rec 


E/WARN 


ode. This 


c 
ords. 


NG/CODE (4PCDATA) 


ode appears when the API reguest identifies more 


UT/R 


rhe war. 
dentifies more 


ESPONS 


ning me 


OST 


E/WARN 


ssage t 
than 1,000 


ext 


NG/TEXT (4PCDATA) 


. This message appears when the API reguest 
host records. 


D 


TPUT/RESPONS 


[he URL for makin 


tri 


OSTA 


E/WARN 


NG/URL (#PCDATA) 


gano 


ther request for the next batch of host records. 
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Excluded Hosts List Output 


API used 


<platform API server>/api/2.0/fo/asset/excluded_ip/?action=list 


DTD for Excluded Host List Output 
<platform API server>/api/2.0/fo/asset/excluded_ip/ip_list_output.dtd 


(DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 


POST DATA will be urlencoded --> 


A recent DTD is shown below. 
<!-- QUALYS IP OUTPUT DID ==> 
<!ELEMENT IP LIST OUTPUT (REQUEST?, RESPONSE) > 
<!ELEMENT REQUEST 
POST DATA?) > 
<!EL NT DATETIME (#PCDATA) > 
<!EL NT USER LOGIN (#PCDATA) > 
<!EL NT RESOURCE (#PCDATA) > 
<!ELEMENT PARA | LIST (PARAM+) > 
<!ELEMENT PARA (KEY, VALUE) > 
<!ELEMENT KEY (#PCDATA) > 
<!ELEMENT VALUE (#PCDATA) > 
<!-- if returned, 
<!ELEMENT POST DATA (#PCDATA) > 
<!EL ENT RESPONSE (DATETIME, IP SET?)> 
<!EL ENT IP SET ((IP|IP RANGE)+)> 
<!EL ENT IP (#PCDATA) > 
<!ATTLIST IP network id CDATA #IMPLIED> 
<!ATTLIST IP expiration date CDATA #IMPLIED> 
<!ELEMENT IP RANGE (#PCDATA) > 
<!ATTLIST IP RANGE 
network id CDATA #IMPLIED 
expiration date CDATA “IMPLIED 


> 


Si 


EOF ==> 


XPaths for Excluded Hosts List Output 


XPath 


yie LST OUTPUT 


element specifications / notes 


( 


REOUEST?, RESPONSE) 


(IP LIST OUTPU 


/REQUEST ( 


DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST, POST_DATA?) 


/TP_LIS 


OU 


PU 


/REQUES1 


T/DATE 


TIME (#PCDATA) 
The date and time of the API request. 


/IP_LIST_OUTPUT/REQUEST 


[/USER LOGIN (#PCDATA) 


The user login of the user who made the request. 
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element specifications / notes 


Chapter 5 - Assets XML 


(IP LIST. OUTPUT/REOUEST/ 


RESOURCE (#PCDATA) 


The resource specified for the reguest. 


ast 


2 LISE OWN. 


/REQUEST/ 


PARAM_LIST (PARAM+)) 


~ 


PILES OUNHPU 


/REQUEST/ 


PARAM_LIST/PARAM (KEY, VALUE)) 


RS 


POIS (NED 


/REOUEST/ 


PARAM LIST/PARAM/KEY (#PCDATA) 


The input parameter name. 


KT 


P LIST. OUTPUT 


T/REQUEST/ 


PARAM_LIST/PARAM/VALUE  (#PCDATA) 


The input parameter value. 


y 


POES OW NAOH 


T/REQUEST/ 


POST_DATA (#PCDATA) 


The POST data, if any. 


PS 


PAIS OMAN uN 


T/RESPONSE 


(DATETIME, IP_SET) 


SS 


2 IS (91918401 


T/RESPONSE/DATETIME — (*PCDATA) 


The date and time of the Qualys response. 


> 


PASE OWANAUA 


T/RESPONSE/IP_SET — ((IP|IP RANGE)+) 


kust 


PAPIS TE OU BE 


[/RESPONSE/IP. SET/IP  (*PCDATA) 


An IP address, identifying an excluded host. If the Networks feature is 
enabled in your subscription, the attribute “network id” is the network ID 
associated with this IP address. If an expiration date was specified when 
this IP was added to the list, the attribute “expiration date” is the date 


when the IP will be removed from the list. 


/IP LIST OUTPUT/RESPONSE/IP SET/IP RANGE (#PCDATA) 


An IP address range, identifying excluded hosts. If the Networks feature is 
enabled in your subscription, the attribute “network id” is the network ID 
associated with this IP range. If an expiration date was specified when this 
IP range was added tothe list, the attribute “expiration date”is the date 


when the IP range will be removed from the list. 


190 


Gualys API (VM, PC) XML/DTD Reference 


Excluded Hosts Change History Output 


API used 


Chapter 5 - Assets XML 


<platform API server>/api/2.0/fo/asset/excluded_ip/history/?action=list 


DTD for Excluded Host Change History Output 
<platform API server>/api/2.0/fo/asset/excluded_ip/history/history_list_output.dtd 


PARAM LIST?, 


GLOSSARY ?) > 


ER LOGIN, COMMENTS) > 


A recent DTD is shown below. 

<!-- QUALYS HISTORY LIST OUTPUT DTD --> 

<!ELEMENT HISTORY LIST OUTPUT (REQUEST?, RESPONSE) > 

<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, 
POST DATA?) > 

<!ELEMENT DATETIME (#PCDATA)> 

<!ELEMENT USER LOGIN (#PCDATA) > 

<!ELEMENT RESOURCE (#PCDATA) > 

<!ELEMENT PARAM LIST (PARAM+) > 

<!ELEMENT PARAM (KEY, VALUE)> 

<!ELEMENT KEY (#PCDATA) > 

<!ELEMENT VALUE (#PCDATA) > 

<!-- if returned, POST DATA will be urlencoded --> 

<!ELEMENT POST DATA (#PCDATA) > 

<!ELEMENT RESPONSE (DATETIME, HISTORY LIST?, WARNING?, 

<!ELEMENT HISTORY LIST (HISTORY+) > 

<!ELEMENT HISTORY (ID, IP SET, ACTION, DATETIME, US 

<!ELEMENT ID (#PCDATA) > 

<!ELEMENT IP SET ((IP|IP RANGE) +)> 

<!ELEMENT IP (#PCDATA) > 

<!ELEMENT IP RANGE (#PCDATA) > 

<!ELEMENT ACTION (#PCDATA) > 

<!ELEMENT COMMENTS (#PCDATA) > 

<!ELEMENT WARNING (CODE?, TEXT, URL?)> 

<!ELEMENT CODE (#PCDATA) > 

<!ELEMENT TEXT (#PCDATA) > 

<!ELEMENT URL (#PCDATA) > 

<!ELEMENT GLOSSARY (USER_LIST)> 

<!ELEMENT USER LIST (USER+) > 

<!ELEMENT USER (USER LOGIN, FIRST NAME, LAST NAME, ROL 

<!ELEMENT FIRST NAME (#PCDATA) > 

<!ELEMENT LAST NAME (#PCDATA) > 

<!ELEMENT ROLE (#PCDATA) > 

<!-- EOF --> 
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XPaths for Excluded Hosts Change History Output 


XPath element specifications / notes 
(HISTORY LIST OUTPU (REOUEST?, RESPONSE) 


/HISTORY LIST. OUTPUT /REOUEST 


(DATETIME, USER. LOGIN, RESOURCE, PARAM LIST, POST. DATA?) 
/HISTORY LIST OUTPUT /REQUEST/DATETIME (#PCDATA) 


he date and time ofthe API reguest. 
(HISTORY LIST OUTPUT /REOUEST/USER LOGIN (#PCDATA) 


he user login of the user who made the reguest. 
(HISTORY LIST OUTPUT /REQUEST/RESOURCE — (4PCDATA) 


he resource specified for the reguest. 
(HISTORY LIST OUTPUT /REOUEST/PARAM LIST (PARAM+)) 
(HISTORY LIST. OUTPUT /REOUEST/PARAM LIST/PARAM (KEY, VALUE)) 

(HISTORY LIST. OUTPUT /REOUEST/PARAM LIST/PARAM/KEY (#PCDATA) 

The input parameter name. 

(HISTORY LIST OUTPUT /REOUEST/PARAM LIST/PARAM/VALUE — (4PCDATA) 

The input parameter value. 

(HISTORY LIST OUTPUT /REOUEST/POST. DATA (#PCDATA) 

The POST data, if any. 

(HISTORY LIST OUTPUT/RESPONSE (DATETIME, HISTORY LIST? WARNING?, GLOSSARY?) 
/HISTORY LIST OUTPUT/RESPONSE /DATETIME — (*PCDATA) 

The date and time of the Qualys response. 

(HISTORY. LIST. OUTPUT/RESPONSE /HISTORY. LIST  (HISTORY+) 


/HISTORY. LIST. OUTPUT/RESPONSE /HISTORY. LIST/HISTORY 
ID, IP. SET, ACTION, DATETIME, USER. LOGIN, COMMENTS)) 


/HISTORY. LIST OUTPUT/RESPONSE /HISTORY_LIST/HISTORY/ID  (#PCDATA) 

An ID for an excluded hosts change history record. 
/HISTORY_LIST_OUTPUT/RESPONSE /HISTORY_LIST/HISTORY/IP_SET — (IP, IP RANGE)+) 
HISTORY LIST OUTPUT/RESPONSE /HISTORY_LIST/HISTORY/IP_SET/IP (4PCDATA) 
An IP address range, identifying excluded hosts. 

S 
n 


/HISTORY_LIST_OUTPUT/RESPONSE /HISTORY_LIST/HISTORY/IP_SET/RANGE (#PCDATA) 
An IP address range, identifying excluded hosts. 
/HISTORY_LIST_OUTPUT/RESPONSE /HISTORY_LIST/HISTORY/ACTION (#PCDATA) 


An action associated with the change: Added for added excluded hosts, or 
Removed for removed excluded hosts. 


/HISTORY_LIST_OUTPUT/RESPONSE /HISTORY_LIST/HISTORY/COMMENTS  (#PCDATA) 

User comments entered during the action associated with excluded hosts. 
/HISTORY_LIST_OUTPUT /RESPONSE/WARNING (CODE?, TEXT, URL?) 

/HISTORY_LIST_OUTPUT /RESPONSE/WARNING/CODE  (#PCDATA) 


The warning code. This code appears when the API request identifies more 
than 1,000 excluded hosts change history records. 
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XPath element specifications / notes 
/HISTORY. LIST. OUTPUT /RESPONSE/WARNING/TEX (#PCDATA) 


The warning message text. This message appears when the API request 
identifies more than 1,000 excluded hosts change history records. 


/HISTORY_LIST_OUTPUT /RESPONSE/WARNING/TEXT/URL (#PCDATA) 


The URL for making another request for the next batch of excluded hosts 
change history records. The URL includes the “id_max” parameter for 
change history records with an ID less than or equal to a specified ID. 


/HISTORY_LIST_OUTPUT /RESPONSE/GLOSSARY (USER_LIST 
/HISTORY_LIST_OUTPUT /RESPONSE/GLOSSARY/USER_LIST (USER+) 


/HISTORY_LIST_OUTPUT /RESPONSE/GLOSSARY/USER_LIST/USER 


(USER_LOGIN, FIRST_NAME, LAST_NAME, ROLE) 


/HISTORY_LIST_OUTPUT /RESPONSE/GLOSSARY/USER_LIST/USER/FIRST_NAME (#PCDATA) 


The first name of a user who performed an action on excluded hosts 
included in the XML output. 


/HISTORY_LIST_OUTPUT /RESPONSE/GLOSSARY/USER_LIST/USER/LAST_NAME  (#PCDATA) 


The last name of a user who performed an action on excluded hosts 
included in the XML output. 


/HISTORY_LIST_OUTPUT /RESPONSE/GLOSSARY/USER LIST/USER/ROLE (4PCDATA) 


The role of a user who performed an action on excluded hosts included in 
the XML output. 
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Virtual Host List Output 
API used 


<platform API server>/api/2.0/fo/asset/vhost/?action=list 


DTD for Virtual Host List Output 


<platform API server>/ap 


A recent DTD 


i/2.0/fo/asset/vhost/vhost list output.dtd 


is shown below. 

<!-- OUALYS VIRTUAL HOST OUTPUT DID --> 

<!ELEMENT VIRTUAL HOST LIST OUTPUT (REOUEST?,RESPONSE) > 

<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 

<!EL NT DATETIME (#PCDATA) > 

<!EL NT USER LOGIN (#PCDATA) > 

<!ELEMENT RESOURCE (#PCDATA) > 

<!ELEMENT PARAM LIST (PARAM+) > 

<!ELEMENT PARAM (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 

<!ELEMENT VALUE (#PCDATA) > 

<!-- if returned, POST DATA will be urlencoded --> 

<!ELEMENT POST DATA (#PCDATA) > 

<!ELEMENT RESPONSE (DATETIME, (VIRTUAL HOST LIST) ?, WARNING?) > 

<!ELEMENT VIRTUAL HOST LIST (VIRTUAL HOST+) > 

<!ELEMENT VIRTUAL HOST (IP, PORT, FODN+) > 

<!ELEMENT IP (#PCDATA) > 

<!ELEMENT PORT (#PCDATA) > 

<!ELEMENT FQDN (#PCDATA) > 


XPaths for Virtual Host List Output 


XPath element specifications / notes 
/VIRTUAL_HOST_LIST_OUTPUT (REQUEST?,RESPONSE) 
/VIRTUAL_HOST_LIST_OUTPUT/REQUES 
(DATETIME, USER. LOGIN, RESOURCE, PARAM_LIST?, POST DATA?) 
/VIRTUAL_HOST_LIST_OUTPUT/REQUEST/DATETIME (#PCDATA) 
The date and time of the API request. This element appears only when the 
API request includes the parameter echo_request=1. 
/VIRTUAL HOST LIST OUTPUT/REOUEST/USER LOGIN (#PCDATA) 
The user login ID of the user who made the request. This element appears 
only when the API reguest includes the parameter echo reguest=1. 
/VIRTUAL HOST LIST OUTPUT/REOUEST/RESOURCE  (#PCDATA) 


The 
AP 


resource specified for the reguest. This element appears only when the 
reguest includes the parameter echo reguest=1. 
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XPath element specifications / notes 

/VIRTUAL HOST LIST OUTPUT/REOUEST/PARAM LIST (PARAM+)) 

/VIRTUAL HOST LIST OUTPUT/REOUEST/PARAM LIST/PARAM (KEY, VALUE)) 
/VIRTUAL HOST LIST OUTPUT/REOUEST/PARAM LIST/PARAM/KEY (#PCDATA) 
An input parameter name. This element appears only when the API reguest 
includes the parameter echo reguest=1. 
/VIRTUAL HOST LIST OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE — (4PCDATA) 


An input parameter value. This element appears only when the API reguest 
includes the parameter echo reguest=1. 


/VIRTUAL HOST LIST OUTPUT/REOUEST/POST DATA (#PCDATA) 


The POST data, if any. This element appears only when the API reguest 
includes the parameter echo reguest=1. 


(VIRTUAL. HOST. LIST. OUTPUT/RESPONSE 
DATETIME, (VIRTUAL HOST LIST)?, WARNING?) 
/VIRTUAL HOST LIST OUTPUT/RESPONSE/DATETIME (4PCDATA) 

The date and time of the Qualys response. 

' OUTPUT/RESPONSE/VIRTUAL HOST LIST (VIRTUAL HOST+) 
 OUTPUT/RESPONSE/VIRTUAL HOST LIST/VIRTUAL HOST 
(IP, PORT, FQDN+) 
/VIRTUAL HOST LIST OUTPUT/RESPONSE/VIRTUAL HOST LIST/VIRTUAL HOST/IP (4PCDATA) 


/VIRTUAL HOST. L 
/VIRTUAL HOST L 


un 


un 


The IP address for the virtual host configuration. 
/VIRTUAL HOST LIST OUTPUT/RESPONSE/VIRTUAL HOST LIST/VIRTUAL HOST/PORT  (*PCDATA) 


The port for the virtual host configuration. 
/VIRTUAL HOST LIST OUTPUT/RESPONSE/VIRTUAL HOST LIST/VIRTUAL HOST/FODN  (*PCDATA) 
One FQDN for the virtual host configuration. 


IPv6 Mapping Records List Output 


API used 
<platform API server>/api/2.0/fo/asset/ip/v4_v6/?action=list 


DTD for IPv6 Mapping Records List Output 
<platform API server>/api/2.0/fo/asset/ip/v4_v6/ip_map_list_output.dtd 


A recent DTD is shown below. 


<!-- QUALYS IP MAP LIST OUTPUT DTD --> 


<!ELEMENT IP MAP LIST OUTPUT (REQUEST?, RESPONSE) > 


<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 

<!ELEMENT DATETIME (#PCDATA) > 

<!ELEMENT USER LOGIN (#PCDATA) > 

<!ELEMENT RESOURCE (#PCDATA) > 

<!ELEMENT PARAM LIST (PARAM+) > 
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<!ELEMENT PARA (KEY, VALUE) > 
<!ELEMENT KEY (#PCDATA) > 
<!ELEMENT VALUE (#PCDATA) > 

<!-- if returned, POST 
<!ELEMENT POST DATA (#PCDATA) > 
<!ELEMENT RESPONSE (DATETIME, I 
<!ELEMENT IP MAP LIST (IP MAP+)> 
<!ELEMENT IP MAP (ID, V4, V6, NI 
<!ELEMENT ID (#PCDATA) > 
<!ELEMENT V4 (#PCDATA) > 
<!ELEMENT V6 (#PCDATA) > 

<!-- EOF --> 


Qualys API (VM, PC) XML/DTD Reference 


P MAP LIST?)> 


ETWORK_ID?) > 


XPaths for IPv6 Mapping Records List Output 


Chapter 5 - Assets XML 


DATA will be urlencoded --> 


XPath element specifications / notes 

/IP_MAP_LIST_OUTPU (REQUEST?,RESPONSE) 

(IP MAP LIST. OUTPUT/REOUEST 
(DATETIME, USER. LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 

/IP MAP LIST OUTPUT/REOUEST/DATETIME (#PCDATA) 
The date and time of the API request. This element appears only when the 
API request includes the parameter echo_request=1. 

/IP MAP LIST OUTPUT/REOUEST/USER LOGIN  (#PCDATA) 
The user login ID of the user who made the request. This element appears 
only when the API reguest includes the parameter echo reguest=1. 

/IP MAP LIST OUTPUT/REOUEST/RESOURCE — (4PCDATA) 
The resource specified for the reguest. This element appears only when the 
API reguest includes the parameter echo reguest=1. 

/IP MAP LIST OUTPUT/REOUEST/PARAM LIST (PARAM+)) 

/IP MAP LIST OUTPUT/REOUEST/PARAM LIST/PARAM (KEY, VALUE)) 

/IP MAP LIST OUTPUT/REOUEST/PARAM LIST/PARAM/KEY  (#PCDATA) 
An input parameter name. This element appears only when the API reguest 
includes the parameter echo. reguest= 

/IP MAP LIST OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE — (4PCDATA) 
An input parameter value. This element appears only when the API reguest 
includes the parameter echo. reguest= 

/IP MAP LIST OUTPUT/REOUEST/POST DATA  (#PCDATA) 
The POST data, if any. This element appears only when the API reguest 
includes the parameter echo. reguest= 

/IP MAP LIST OUTPUT/RESPONSE (DATETIME, IP MAP LIST?) 

/IP MAP LIST OUTPUT/RESPONSE/DATETIME (#PCDATA) 


The date and time of the Qualys response. 
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XPath element specifications / notes 
/IP MAP LIST OUTPUT/RESPONSE/IP. MAP LIST LIST (IP MAP+) 


/IP MAP LIST OUTPUT/RESPONSE/IP. MAP LIST LIST/IP MAP (ID, V4, V6) 


/IP MAP LIST OUTPUT/RESPONSE/IP. MAP LIST LIST/IP MAP/ID (#PCDATA) 


A service-assigned ID for a mapping record. 
/IP MAP LIST OUTPUT/RESPONSE/IP. MAP LIST LIST/IP MAP/V4 (#PCDATA) 


An IPv4 address for a mapping record. 
/IP MAP LIST OUTPUT/RESPONSE/IP. MAP LIST LIST/IP MAP/V6 (#PCDATA) 


An IPv6 address for a mapping record. 


vCenter - ESXi Mapping Records List Output 
API used 


<platform API server>/api/2.0fo/auth/vcenter/vcenter_mapping/?action=list 


DTD for IPv6 Mapping Records List Output 


<platform API 
server>/api/2.0/fo/auth/vcenter/vcenter_mapping/vcenter_esxi_map_list_output.dtd 


A recent DTD is shown below. 


<!-- QUALYS VCENTER ESXI MAP LIST OUTPUT DTD --> 
<!-- SRevision$ --> 
<!ELEMENT VCENTER ESXI MAP LIST OUTPUT (REQUEST?, RESPONSE) > 


<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 

POST D 

<!ELEMENT DATETIME (#PCDATA) > 

<!ELEMENT USER LOGIN (#PCDATA) > 

<!ELEMENT RESOURCE (#PCDATA) > 
M 
M 
M 


<!ELEMENT PARAM LIST (PARAM+) > 

<!ELEMENT PARAM (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 

<!ELEMENT VALUE (#PCDATA) > 

<!-- if returned, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 

<!ELEMENT RESPONSE (DATETIME, VCENTER ESXI MAP LIST?, WARNING?) > 
<!ELEMENT VCENTER ESXI MAP LIST (VCENTER ESXI MAP+)> 

<!ELEMENT VCENTER ESXI MAP (VCENTER IP, ESXI IP, MAPPING DATA SOURCE?) > 
<!ELEMENT VCENTER IP (#PCDATA) > 

<!ELEMENT ESXI IP (#PCDATA) > 

<!ELEMENT MAPPING DATA SOURCE (#PCDATA) > 

<!ELEMENT WARNING (CODE?, TEXT, URL?)> 

<!ELEMENT CODE (#PCDATA) > 

<!ELEMENT TEXT (#PCDATA) > 

<!ELEMENT URL (#PCDATA) > 

<i== HOF ==> 


See we ee 
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XPaths for vCenter - ESXi Mapping Records List Output 


XPath element specifications / notes 
/VCENTER ESXI MAP LIST OUT (REOUEST?,RESPONSE) 
PUT 


/VCENTER_ESXI_MAP_LIST_OUTPUT/REQUEST 
(DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA?) 
/VCENTER_ESXI_MAP_LIST_OUTPUT/REQUEST/DATETIME  (#PCDATA) 


The date and time of the API request. This element appears only when the 
API request includes the parameter echo_request=1. 


/VCENTER_ESXI_MAP_LIST_OUTPUT/REQUEST/USER_LOGIN (#PCDATA) 


The user login ID of the user who made the request. This element appears 
only when the API request includes the parameter echo_request=1. 


/VCENTER_ESXI_MAP_LIST_OUTPUT/REQUEST/RESOURCE  (#PCDATA) 


The resource specified for the request. This element appears only when the 
API request includes the parameter echo_request=1. 


/VCENTER_ESXI_MAP_LIST_OUTPUT/REQUEST/PARAM_LIST (PARAM+)) 
/VCENTER_ESXI_MAP_LIST_OUTPUT/REQUEST/PARAM_LIST/PARAM (KEY, VALUE)) 
/VCENTER_ESXI_MAP_LIST_OUTPUT/REQUEST/PARAM_LIST/PARAM/KEY  (#PCDATA) 


An input parameter name. This element appears only when the API request 
includes the parameter echo_request=1. 


/VCENTER_ESXI_MAP_LIST_OUTPUT/REQUEST/PARAM_LIST/PARAM/VALUE — (*PCDATA) 


An input parameter value. This element appears only when the API request 
includes the parameter echo_request=1. 


/VCENTER_ESXI_MAP_LIST_OUTPUT/REQUEST/POST_DATA (#PCDATA 


The POST data, if any. This element appears only when the API request 
includes the parameter echo_request=1. 


/VCENTER_ESXI_MAP_L OUTPUT/RESPONSE (DATETIME, VCENTER_ESXI_MAP_LIST?, WARNING?) 
/VCENTER_ESXI_MAP_L OUTPUT/RESPONSE/DATETIME (#PCDATA) 

The date and time of the Qualys response. 
/VCENTER ESXI MAP LIST OUTPUT/RESPONSE/VCENTER ESXI MAP LIST (VCENTER ESXI MAP+) 
/VCENTER ESXI MAP LIST OUTPUT/RESPONSE/VCENTER. ESXI MAP LIST/VCENTER. ESXI MAP 
(VCENTER IP, ESXI IP, MAPPING DATA SOURCE?) 
/VCENTER ESXI MAP LIST OUTPUT/RESPONSE/VCENTER. ESXI MAP LIST/VCENTER. ESXI MAP/VCENTER. 


A vCenter IP address for a mapping record. 
/NCENTER ESXI MAP LIST OUTPUT/RESPONSE/VCENTER ESXI MAP LIST/VC 


mi 
T 


TER_ESXI_MAP/ESXI_IP 


An ESXi IP address for a mapping record. 
/VCENTER_ESXI_MAP_LIST_OUTPUT/RESPONSE/VCENTER_ESXI_MAP_LIST/VC 


Eval 


NTER_ESXI_MAP/MAPPING_ 


The mapping data source for a mapping record. 
NTER_ESXI_MAP_LIST_OUTPUT/RESPONSE/VCENTER_ESXI_MAP_LIST/WARNING (CODE?, TEXT, 
) 


/VCENTER_ESXI_MAP_LIST_OUTPUT/RESPONSE/WARNING/CODE (#PCDATA) 
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/VCENT 


HERMES A EAS 


OU 


PUT/RESPONSE/WARNING/TEXT (#PCDATA) 


Warning message text. 


/VCENT 


TER_ESXI_MAP_LIS 


_0U 


PUT/RESPONSE/WARNING/URL  (#PCDATA) 
Warning URL. 
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Restricted IPs List Output 
API used 


<platform API server>/api/2.0/fo/setup/restricted_ips/?action=list 


DTD for Restricted IPs List Output 
<platform API server>/api/2.0/fo/setup/restricted_ips/restricted_ips_output.dtd 


A recent DTD is shown below. 


<!-- QUALYS RESTRICTED IPS OUTPUT DTD --> 


<!ELEMENT RESTRICTED IPS OUTPUT (REQUEST?, RESPONSE) > 


<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 


<!EL NT DATETIME (#PCDATA) > 

<!EL NT USER LOGIN (#PCDATA) > 

<!ELEMENT RESOURCE (#PCDATA) > 

<!ELEMENT PARAM LIST (PARAM+) > 

<!ELEMENT PARAM (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 

<!ELEMENT VALUE (#PCDATA) > 

<!-- if returned, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 


<!ELEMENT RESPONSE (DATETIME, IP SET?, STATUS?)> 


m 


<!EL NT IP SET ((IP|IP RANGE)+)> 
<!ELEMENT IP (#PCDATA) > 

<!ELEMENT IP RANGE (#PCDATA) > 
<!ELEMENT STATUS (#PCDATA) > 

<!-- EOF --> 


D 


m 


D 


XPaths for Restricted IPs List Output 


XPath element specifications / notes 

/RESTRICTED IPS OUTPUT (REOUEST?,RESPONSE) 

/RESTRICTED IPS OUTPUT/REOUEST 

(DATETIME, USER. LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 
/RESTRICTED IPS OUTPUT/REOUEST/DATETIME — (4PCDATA) 


[he date and time of the API request to download the restricted IPs list. 
his element appears only when the API request includes the parameter 
echo reguest=1. 

/RESTRICTED IPS OUTPUT/REOUEST/USER LOGIN (#PCDATA) 


The user login ID of the user who made the request. This element appears 
only when the API reguest includes the parameter echo reguest=1. 
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XPath element specifications / notes 
ED IPS OUTPUT/REOUEST/RESOURCE (#PCDATA) 


= 
ES) 
mi 
ja 
(2) 

TI 


The resource specified for the request. This element appears only when the 
API reguest includes the parameter echo reguest=1. 
/RESTRICTED IPS OUTPUT/REOUEST/PARAM LIST (PARAM+)) 
/RESTRICTED IPS OUTPUT/REOUEST/PARAM LIST/PARAM (KEY, VALUE)) 
/RESTRICTED IPS OUTPUT/REOUEST/PARAM LIST/PARAM/KEY (#PCDATA) 


An input parameter name. This element appears only when the API reguest 
includes the parameter echo reguest=1. 


D IPS OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE  (#PCDATA) 


/RESTRIC 


mi 


An input parameter value. This element appears only when the API reguest 
includes the parameter echo reguest=1. 


D IPS OUTPUT/REOUEST/POST DATA — (4PCDATA) 


The POST data, if any. This element appears only when the API reguest 
includes the parameter echo reguest=1. 


/RESTRICTED IPS OUTPUT/RESPONSE (DATETIME, IP SET?, STATUS?) 
/RESTRICTED IPS OUTPUT/RESPONSE/DATETIME (#PCDATA) 

e date and time of the Qualys response. 
/RESTRICTED IPS OUTPUT/RESPONSE/IP SET ((IPIIP RANGE)+) 
/RESTRICTED IPS OUTPUT/RESPONSE/IP. SET/IP (4PCDATA) 
An IP address in the restricted IPs list. 
/RESTRICTED IPS OUTPUT/RESPONSE/IP SET/IP RANGE (#PCDATA) 
An IP address range in the restricted IPs list. 
/RESTRICTED IPS OUTPUT/RESPONSE/STATUS (#PCDATA) 


The status of the restricted IPs list: enabled or disabled. When enabled a 
user who attempts to login to Qualys from an IP in the restricted IPs list 
will be denied access. 


/RESTRIC 


mi 
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<platform API server>/api/2.0/fo/asset/ip/ action=update 


Duplicate hosts error is returned with instructions in cases where you try to update hosts 
with multiple scan data entries using the IP Update API. This can happen when scans 
identified multiple hostnames for the same IP address. 


DTD for Restricted IPs List Output 
<platform API server>/api/2.0/fo/asset/ip/duplicate_hosts_error.dtd 


A recent DTD is shown below. 

<!-- QUALYS DUPLICATE HOSTS ERROR OUTPUT DTD --> 

<!ELEMENT DUPLICATE HOSTS ERROR OUTPUT (REQUEST?, RESPONSE) > 

<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 

<!ELEMENT DATETIME (#PCDATA)> 

<!ELEMENT USER LOGIN (#PCDATA) > 

<!ELEMENT RESOURCE (#PCDATA) > 

<!ELEMENT PARAM LIST (PARAM+) > 

<!ELEMENT PARAM (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 

<!ELEMENT VALUE (#PCDATA) > 

<!-- if returned, POST DATA will be urlencoded --> 

<!ELEMENT POST DATA (#PCDATA) > 

<!ELEMENT RESPONSE (CODE?, DATETIME, WARNING?) > 

<!ELEMENT CODE (#PCDATA) > 

<!ELEMENT WARNING (TEXT, DUPLICATE HOSTS, URL) > 

<!ELEMENT TEXT (#PCDATA) > 

<!ELEMENT URL (#PCDATA) > 

<!ELEMENT DUPLICATE HOSTS (DUPLICATE HOST*) > 

<!ELEMENT DUPLICATE HOST (IP, DNS HOSTNAME, NETBIOS HOSTNAME, 

LAST SCANDATE, TRACKING) > 

<!ELEMENT IP (#PCDATA) > 

<!ELEMENT DNS HOSTNAME (#PCDATA) > 

<!ELEMENT NETBIOS HOSTNAME (#PCDATA) > 

<!ELEMENT LAST SCANDATE (#PCDATA)> 

<!ELEMENT TRACKING (#PCDATA) > 

<!-- EOF --> 
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/DUPLICATE HOSTS ERROR OUTPUT (REQUEST?,RESPONSE) 


/DUPLICATE HOSTS ERROR OUTPUT/REOUEST 


(DATETIME, USER. LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 


/DUPLICATE HOSTS ERROR OUTPUT/REOUEST/DATETIME — (#PCDATA) 


echo reguest=1. 


The date and time of the API request to download the restricted IPs list. 
his element appears only when the API request includes the parameter 


/DUPLICATE HOSTS. ERROR OUTPUT/REOUEST/USER LOGIN (#PCDATA) 


The user login ID of the user who made the request. This element appears 
only when the API reguest includes the parameter echo reguest=1. 


The resource specified for the request. 1 
PI request includes the parameter echo_request=1. 


/DUPLICATE HOSTS. ERROR OUTPUT/REOUEST/RESOURCE  (#PCDATA) 


This element appears only when the 


/DUPLICATE. HOSTS. ERROR. O 


E 


REOUEST/PARAM LIST  (PARAM+)) 


Ss 
UJ 


UPLIGATE. HOSTS. ERROR O 


/DUPLICATE. HOSTS. ERROR. OU 


E 
: > RAI > 
C 


input parameter name. 


REQUEST/PARAM_LIST/PARAM/KEY 


/ 
/REOUEST/PARAM LIST/PARAM (KEY, VALUE)) 
/ 
n 


(#PCDATA) 


[his element appears only when the API request 
ncludes the parameter echo_request=1. 


input parameter value. 


es the parameter ec no_request=1. 


/DUPLICATE_HOSTS_ERROR_OUTPUT/REQUEST/PARAM_LIST/PARAM/VALUE — (4PCDATA) 
n 


This element appears only when the API request 


u 
/DUPLICATE. HOSTS. ERROR. OUTPUT/ 


d 
REOUEST/POST DATA  (*PCDATA) 


The POST data, if any. This element appears only when the API reguest 
des the parameter echo reguest=1. 


ESPONSE (CODE?, DATETIME, WARNING?) 


u 
/DUPLICATE_HOSTS_ERROR_OUTPUT/ 
/DUPLICATE_HOSTS_ERROR_OUTPUT/ 


Qualys response code. 


ESPONSE/CODE (#PCDATA) 


/DUPLICATE_HOSTS_ERROR_OU 


UT/RESPONSE/DATETIME (#PCDATA) 


P 
The date and time of the Qualys response. 


/DUPLICATE. HOSTS. ERROR. OU 


RESPONSE/WARNING (TEXT, DUPLICATE_HOSTS, URL) 


/DUPLICATE_HOSTS_ERROR_OU 


RESPONSE/WARNING/TEXT (#PCDATA) 


RESPONSE/WARNING/DUPLICATE_HOSTS (DUPLICATE_HOST") 


/DUPLICATE HOSTS ERROR OU RESPONSE/DUPLICATE HOS 


P 
P 

/DUPLICATE_HOSTS_ERROR_OUTPU 
P 
( 


S /HOS 


/ 
/ 
A warning description with instructions on how to resolve the issue. 
/ 
/ 


/DUPLICATE_HOSTS_ERROR_OUTPUT/RESPONSE/DUPLICATE_HOS 


The IP address of the duplicate asset. 


S /HOS 


S 
IP, DNS HOSTNAME, NETBIOS_HOSTNAME, LAST. SCANDATE, TRACKING) 
S 


/ 


/DUPLICA' OSTS_ERROR_OUTPUT/RESPONSE/DUPLICATE_HOS 
DNS_HOSTNAME (#PCDATA) 


mi 


S /HOS 


The DNS name of the duplicate asset. 
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LICATE HOSTS ERROR OUTPUT/ 


IOS HOSTNAME (#PCDATA) 


RESPONS 


The NetBIOS h 


E/DUPLICATE. HOSTS /HOST/ 


ostname of the duplicate asset. 


TRACKING (#PCDATA) 


The tracking 


method of the duplicate asset: I 


/DUPLICATE HOSTS ERROR. OUTPUT/RESPONSE/DUPLICATE HOSTS /HOST/ 
LAST. SCANDATE (#PCDATA) 

The date/time when the duplicate asset was last scanned. 
/DUPLICATE HOSTS ERROR. OUTPUT/RESPONSE/DUPLICATE HOSTS /HOST/ 


P, DNS, NETBIOS, EC2. 


LICATE HOSTS ERROR OUTPUT/ 


RESPONS 


E/WARNING/URL (#PCDATA) 


The URL to use to log in to the Qualys Cloud 


Platform where you can edit 


the duplicate asset per the warning instructions provided. 
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API used 


Qualys A 


<platform API server>/api/2.0/fo/asset/group/?action=list 


DTD for Asset Group List Output 
<platform API server>/api/2.0/fo/asset/group/asset_group_list_output.dtd 


PI (VM, PC) XML/DTD Reference 
Chapter 5 - Assets XML 


A recent DTD is shown below. 
<!-- QUALYS ASSET GROUP_LIST OUTPUT DTD --> 
<!ELEMENT ASSET GROUP LIST OUTPUT (REQUEST?, RESPONSE) > 
<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 
<!ELEMENT DATETIME (#PCDATA) > 
<!ELEMENT USER LOGIN (#PCDATA) > 
<!ELEMENT RESOURCE (#PCDATA) > 
<!ELEMENT PARAM LIST (PARAM+) > 
<!ELEMENT PARAM (KEY, VALUE) > 
<!ELEMENT KEY (#PCDATA) > 
<!ELEMENT VALUE (#PCDATA) > 
<!-- if returned, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 
<!ELEMENT RESPONSE (DATETIME, (ASSET GROUP LIST|ID SET) ?, WARNING?) > 
<!ELEMENT ASSET GROUP LIST (ASSET GROUP+) > 
<!ELEMENT ID SET (ID| ID RANGE) +> 
<!ELEMENT ID RANGE (#PCDATA)> 
<!ELEMENT ASSET GROUP (ID, TITLE?, 
OWNER USER ID?, OWNER UNIT ID?, (NETWORK ID|NETWORK IDS) ?, 
LAST UPDATE?, BUSINESS IMPACT?, 
CVSS ENVIRO CDP?, CVSS ENVIRO TD?, CVSS ENVIRO CR?, CVSS ENVIRO IR?, 
CVSS ENVIRO AR?, 
DEFAULT APPLIANCE ID?, APPLIANCE IDS?, 
IP SET?, DOMAIN LIST?, DNS LIST?, NETBIOS LIST?, 
HOST IDS?, EC2 IDS?, 
ASSIGNED USER IDS?, ASSIGNED UNIT IDS?, COMMENTS?, OWNER USER NAME? 
)> 
<!ELEMENT ID (#PCDATA) > 
<!ELEMENT TITLE (#PCDATA) > 
<!ELEMENT OWNER USER ID (#PCDATA)> 
<!ELEMENT OWNER UNIT ID (#PCDATA)> 
<!ELEMENT NETWORK ID (#PCDATA) > 
<!ELEMENT NETWORK IDS (#PCDATA) > 
<!ELEMENT LAST UPDATE (#PCDATA) > 
<!ELEMENT BUSINESS IMPACT (#PCDATA) > 
<!-- CVSS --> 
<!ELEMENT CVSS ENVIRO CDP (#PCDATA) > 
<!ELEMENT CVSS ENVIRO TD (#PCDATA) > 
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<!ELEMENT CVSS ENVIRO CR (#PCDATA) > 
<!ELEMENT CVSS ENVIRO IR (#PCDATA) > 
<!ELEMENT CVSS ENVIRO AR (#PCDATA) > 
<!-- APPLIANCE LIST --> 

<!ELEMENT DEFAULT APPLIANCE ID (#PCDATA) > 
<!ELEMENT APPLIANCE IDS (4PCDATA) > 

<!-- IP SET --> 

<!ELEMENT IP SET ((IP|IP RANGE) +)> 
<!ELEMENT IP (#PCDATA)> 

<!ATTLIST IP network id CDATA #IMPLIED> 
<!ELEMENT IP RANGE (#PCDATA) > 

<!ATTLIST IP RANGE network id CDATA #IMPLIED> 
<!-- DOMAIN LIST --> 

<!ELEMENT DOMAIN LIST (DOMAIN+) > 
<!ELEMENT DOMAIN (#PCDATA) > 

<!ATTLIST DOMAIN netblock CDATA ""> 
<!ATTLIST DOMAIN network id CDATA #IMPLIED> 
<!-- DNS_LIST --> 

<!ELEMENT DNS LIST (DNS+) > 

<!ELEMENT DNS (#PCDATA) > 

<!ATTLIST DNS network_id CDATA "0"> 
<!-- NETBIOS LIST --> 

<!ELEMENT NETBIOS LIST (NETBIOS+) > 
<!ELEMENT NETBIOS (#PCDATA) > 

<!ATTLIST NETBIOS network id CDATA "0"> 
<!-- EC2_IDS --> 

<!ELEMENT EC2_IDS (#PCDATA) > 

<!-- HOST_IDS --> 

<!ELEMENT HOST_IDS (#PCDATA) > 

<!-- USER_IDS --> 

<!ELEMENT ASSIGNED USER IDS (#PCDATA) > 
<!-- UNIT_IDS --> 

<!ELEMENT ASSIGNED UNIT IDS (#PCDATA) > 
<!-- COMMENTS --> 

<!ELEMENT COMMENTS (#PCDATA) > 

<!-- OWNER USER NAME --> 

<!ELEMENT OWNER USER NAME (#PCDATA) > 
<!-- WARNING --> 

<!ELEMENT WARNING (CODE?, TEXT, URL?)> 
<!ELEMENT CODE (#PCDATA) > 

<!ELEMENT TEXT (#PCDATA) > 

<!ELEMENT URL (#PCDATA) > 
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XPath element specifications / notes 
(ASSET. GROUP LIST OUTPU (REOUEST?,RESPONSE) 
/ASSET. GROUP LIST OUTPUT/REOUEST 
(DATETIME, USER. LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 
/ASSET. GROUP LIST. OUTPUT/REOUEST/DATETIME (#PCDATA) 
The date and time of the API request. This element appears only when the 
API request includes the parameter echo_request=1. 
/ASSET_GROUP_LIST_OUTPUT/REQUEST/USER_LOGIN (#PCDATA) 
The user login ID of the user who made the request. This element appears 
only when the API request includes the parameter echo_request=1. 
/ASSET_GROUP_LIST_OUTPUT/REQUEST/RESOURCE — (*PCDATA) 
The resource specified for the request. This element appears only when the 
API request includes the parameter echo_request=1. 
/ASSET_GROUP_LIST_OUTPUT/REQUEST/PARAM_LIST (PARAM+)) 
/ASSET_GROUP_LIST_OUTPUT/REQUEST/PARAM_LIST/PARAM (KEY, VALUE)) 
/ASSET_GROUP_LIST_OUTPUT/REQUEST/PARAM_LIST/PARAM/KEY — (4PCDATA) 
An input parameter name. This element appears only when the API reguest 
includes the parameter echo reguest=1. 
/ASSET. GROUP LIST OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE — (*PCDATA) 
An input parameter value. This element appears only when the API reguest 
includes the parameter echo reguest=1. 
/ASSET. GROUP LIST OUTPUT/REOUEST/POST. DATA (#PCDATA) 
The POST data, if any. This element appears only when the API reguest 
includes the parameter echo reguest=1. 
/ASSET. GROUP LIST OUTPUT/RESPONSE (DATETIME, (ASSET. GROUP LISTJID. SET)?, WARNING?) 
/ASSET. GROUP LIST OUTPUT/RESPONSE/DATETIME (#PCDATA) 
The date and time of the Qualys response. 
/ASSET. GROUP LIST. OUTPUT/RESPONSE/ASSET. GROUP LIST (ASSET_GROUP+) 
/ASSET. GROUP LIST OUTPUT/RESPONSE/ASSET. GROUP LIST/ASSET. GROUP 
(ID, TITLE?, OWNER USER ID?, OWNER UNIT ID?, (NETWORK IDINETWORK IDS)?, LAST UPDATE?, 
BUSINESS IMPACT?, CVSS ENVIRO CDP?, CVSS_ENVIRO_TD?, CVSS ENVIRO CR?, CVSS ENVIRO IR?, 
CVSS ENVIRO AR?, DEFAULT APPL ANCE. ID? , APPLIANCE_IDS?, bP Sie? DOMAIN LIST?, DNS_LIST?, 
NETBIOS_LIST?, HOST_IDS?, EC2_IDS?, ASSIGNED_USER_IDS?, ASSIGNED_UNIT_IDS?, COMMENTS?) 
/ASSET_GROUP_LIST_OUTPUT/RESPONSE/ID_SET (ID|ID_RANGE)+ 
/ASSET_GROUP_LIST_OUTPUT/RESPONSE/ID_SET/ID (#PCDATA) 
The ID of included asset group. 
/ASSET_GROUP_LIST_OUTPUT/RESPONSE/ID_SET/ID_RANGE (#PCDATA) 
The ID range of included asset groups. 
/ASSET_GROUP_LIST_OUTPUT/RESPONSE/ASSET_GROUP_LIST/ASSET_GROUP/TITLE (#PCDATA) 
The title of the asset group. 
/ASSET_GROUP_LIST_OUTPUT/RESPONSE/ASSET_GROUP_LIST/ASSET_GROUP/OWNER_USER_ID (#PCDATA) 


D of the asset group's owner. 
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/ASSET_GROUP_LIST_OUTPUT/RESPONSE/ASSET_GROUP_LIST/ASSET_GROUP/OWNER_UNIT_ID (#PCDATA) 
The business unit ID of the asset group’s owner. 
/ASSET_GROUP_LIST_OUTPUT/RESPONSE/ASSET_GROUP_LIST/ASSET_GROUP/NETWORK_ID (#PCDATA) 
(Appears only if the Networks feature is enabled for your subscription) The 
asset group will be assigned to a custom network ID or 0 (the Global Default 
Network). 
/ASSET_GROUP_LIST_OUTPUT/RESPONSE/ASSET_GROUP_LIST/ASSET_GROUP/NETWORK_IDS (#PCDATA) 
(Appears only if the Networks feature is enabled for your subscription) This 
element lists custom network IDs that include the All asset group. Have 
multiple All asset groups? Yes you might. There is 1 All group for the 
subscription, and 1 All group for each custom business unit. 
/ASSET_GROUP_LIST_OUTPUT/RESPONSE/ASSET_GROUP_LIST/ASSET_GROUP/ 
LAST_UPDATE (#PCDATA) 
The date/time the asset group was last updated. 
/ASSET_GROUP_LIST_OUTPUT/RESPONSE/ASSET_GROUP_LIST/ASSET_GROUP/ 
BUSINESS_IMPACT (#PCDATA) 
The business impact assigned to the asset group. 
/ASSET_GROUP_LIST_OUTPUT/RESPONSE/ASSET_GROUP_LIST/ASSET_GROUP/CVSS<value> (#PCDATA) 
The CVSS environmental metrics assigned to the asset group. 
CVSS_ENVIRO_CDP (Collateral Damage Potential) 
CVSS_ENVIRO_TD (Target Distribution) 
CVSS_ENVIRO_CR (Confidentiality Requirement) 
CVSS_ENVIRO_IR (Integrity Requirement) 
CVSS_ENVIRO_AR (Availability Requirement) 
/ASSET_GROUP_LIST_OUTPUT/RESPONSE/ASSET_GROUP_LIST/ASSET_GROUP/ 
DEFAULT_APPLIANCE_ID (#PCDATA) 
The ID of the asset group’s default scanner appliance. 
/ASSET_GROUP_LIST_OUTPUT/RESPONSE/ASSET_GROUP_LIST/ASSET_GROUP/ 
APPLIANCE_IDS (#PCDATA 
The IDs of the scanner appliances assigned to the asset group. 
/ASSET_GROUP_LIST_OUTPUT/RESPONSE/ASSET_GROUP_LIST/ASSET_GROUP/IP_SET (IP|IP RANGE) 
/ASSET. GROUP LIST OUTPUT/RESPONSE/ASSET. GROUP LIST/ASSET. GROUP/IP SET/IP (#PCDATA) 
An IP address assigned to the asset group. If the Networks feature is 
enabled in your subscription, the attribute “network id” is the network ID 
associated with this IP address. 
(ASSET. GROUP LIST OUTPUT/RESPONSE/ASSET. GROUP LIST/ASSET. GROUP/ 


IP SET/IP RANGE (4PCDATA) 


An IP address range assigned to the asset group. If the Networks feature is 


enabled in your subscription 
associated with this I 


P range. 


, the attribute 


“network_id” is the network ID 


/ASSET_GROUP_LIS 
DOMAIN_LIST (DOMAIN+ 


_OUTPU 
) 


/RESPONSE/ASSET_GROUP_LIS 


/ASSET_GROUP/ 


/ASSET_GROUP_LIST_OU 
DOMAIN (#PCDATA) 


PU 


/RESPONSE/ASSET_GROUP_LIS 


A doma 
netbloc 
in your 
associa 


in assigned to 
k assigned to 
subscription, 
ted with this I 


P addre 


/ASSE 


ss. 


_GROUP/DOMAIN_LIST/ 


the asset group. The attribute “netblock” is the 
this domain, if any. If the Networks feature is enabled 
the attribute “network_id” is the network ID 
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element specifications / notes 


Chapter 5 - Assets XML 


/ASSET. GROUP LIS 


/RESPONSE/ASSE'I 


_LIST/ASSET_GROUP/DNS_LIST (DNS+ 


/ASSET. GROUP LIS 
DNS (4PCDATA) 


/RESPONSE/ASSE'I 


A DNS name assigned to 
in your subscription, 


_LIST/ASSET_GROUP/DNS_LIST/ 


the asset group. If the Networks feature is enabled 
the attribute “network_id” is the network ID 


associated with the DNS host. 
/ASSET_GROUP_LIS /RESPONSE/ASSE'I  LIST/ASSET. GROUP/NETBIOS LIST (NETBIOS+) 
/ASSET. GROUP LIS /RESPONSE/ASSE'I _LIST/ASSET_GROUP/NETBIOS_LIST/ 
NETBIOS (#PCDATA) 

A NetBIOS name assigned to the asset group. If the Networks feature is 


OS host. 


enabled in your subscription, the attribute “network id” is the network ID 
associated with the N 


/ASSET. GROUP LIS 


SE/ASSE 


LIST/ASSET. GROUP/EC2. IDS (#PCDATA 


Ds associated with the asset group. 
/ASSET. GROUP LIS PONSE/ASSE LIST/ASSET. GROUP/HOST IDS (#PCDATA) 
The host IDs associated with the asset group. 
/ASSET_GROUP_LIS PONSE/ASSE LIST/ASSET_GROUP/EC2_IDS (#PCDATA) 
EC2 instance IDs associated with the asset group. 
/ASSET_GROUP_LIS PONSE/ASSE LIST/ASSET_GROUP/ASSIGNED_USER_IDS 


The asset group is visible 


to users with 


these user IDs. 


/ASSET_GROUP_LIS 


PONS 


he asset group is assi 


E/ASSE 


gned to business 


E 
Wn 


JESSE G 


ROUP/ASSIGNED UNIT IDS 


units with these unit IDs. 


/ASSET. GROUP LIS 


PONS 


E/ASSE 
defined 


M 
cA 


LIST/ASS 


ts for the asset group. 


ROUP/COMMENTS (#PCDATA) 


/ASSET. GROUP LIS 


PONS 


E/ASSE 


LIST/ASSET. G 


ROUP/OWNER USER NAME 


The asset group owner name is displayed. 


/ASSET. GROUP LIS 


PONS 


E/WARNING (CODE?, TEX'I 


r, URL?) 


/ASSET_GROUP_LIS 


PONS 


,000 


E/WARNIN 


The warning co 
asset group 


G/CODE (4PCDATA) 


. This code a 
records. 


ppears when the API request finds more than 


/ASSET_GROUP_LIS 


finds m 


PONSE/WARNIN 
a 


The warning message text. Th 


ore than 1 


G/TEXT (4PCDATA) 


is message appears when the API request 
,000 asset group records. 


/ASSET_GROUP_LIS 


PON 


SE/WARNIN 
URL for maki 


G/URL ( 4PCDATA) 


ng another reguest for the next batch of asset group 


Asset Search Report 


API used 


Gualys API (VM, PC) XML/DTD Reference 


Chapter 5 - Assets XML 


<platform API server>/api/2.0/fo/report/asset/?action=search 


DTD for Asset Search Report Output 


<platform API server>/asset search report v2.dtd 


A recent DTD 


<1== g 


is shown below. 


UALYS ASSET S 


EARCH R 


EPORT 


DID ==> 


ENT ASS 


S 


EPORT ( 


ERROR | (HEAD 


ET 


ENT ERROR ( 


EAD 


ER --> 


EARCH R 


PCDATA 
ERROR number C 


ENT H 


EOU 


FILT 


, 


EQUEST 


ENT REO 


U 


EST 


DATA?) > 


F 


ENT DATETIM 


ENT 


USER LOGIN 


ENT RESOURC 


F 


ENT 


PARAM LIST 


PARAM (KI 


Header --> 


ESTI, 


yao 
DATA +1 


COMPANY, US 


PLII 


ER, HOST_LIST?))> 


ERNAM 


ETIM 


ERATION_DAT 


(DATETIM 


E 


US 


, 


(#PCDATA)> 
(#PCDATA)> 
(#PCDATA)> 
(PARAI 
EY, VALUE)> 


+)> 


KEY (#PC 


m 


VALUE (+ 
turned, 
POST DATA 


COMPANY (# 


ENT USERNAM 


E ( 


ENT GEN 


E 


ENT FILTERS 


( (IP 


 LISTJASS 
IDI TRACKING M 


ET GROU 
ETHO 


TER S 


E|FILT 


ERVIC 


XT 


TER FIRST 
| FIL 


FOUND 
ER LAST CO 


TI 


EM 


ENT IP LIST 


EMENT 


RANGE 


EM 


ENT 


EMENT 


END 


EM 


ENT ASS 


T 


EM 


ENT ASS 


RATION_ 


(RANGE 
(START 
START (#PCDATA) > 
(#PCDATA) > 


T GROUPS 
T GROUP TITLE 


DATA) > 
PCDATA) > 
POST DATA will be urlencoded --> 


(#PCDATA) > 


D 


PCDATA) > 
PCDATA) > 


DATETIM 


TAGS|FILT 


ESOURC 


E 


ER_ LOGIN, R 


PCDATA) > 


ER_DNS 


D 


PERATING SYST 


, 


PARAM LIST?, 


m 


3 
el 


| FILTER NETBIOS|FILTER AZUR 


E 


3 
3 


| FILTER _OS_CPE|FIL 


F 


ER_PORT| 


FILT 


ER_R 


m 


ESULT|FIL 


ER 


AST SCAN DATE | 


E 


TWORK 


rd 


(ASSI 


> 
D) > 


E, 


E SCAN DAT 


D 


TER DISE 


| FIL 


AY AG TITL 


ES|FILTER QID WIT 


E 


FILT 


ER AZUR 


E 


_VM_STATE)+)> 


ET GROUP TITLE+) > 
(#PCDATA) > 
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ENT NETWORK (#PCDATA) > 


ENT ASSET TAGS (INCLUDED TAGS, EXC 


UDED TAGS?)> 


ENT INCLUDED TAGS (ASSET TAG*)> 


IED> 


LIST INCLUDED TAGS scope CDATA #IMP 


ENT EXCLUDED TAGS (ASSET TAG*) > 


IED> 


IST EXCLUDED TAGS scope CDATA #IMP 


ENT ASSET TAG (#PCDATA) > 


ENT FILTER DNS (#PCDATA) > 


ENT FILTER NETBIOS (#PCDATA) > 
LIST FILTER NETBIOS criterion CDATA #IMPLIED> 


ENT FILTER AZURE VM ID (#PCDATA) > 


ENT TRACKING METHOD (#PCDATA) > 


ENT FILTER OPERATING SYSTEM (#PCDATA) > 
LIST FILTER OPERATING SYSTEM criterion CDATA #IMPLIED> 


(#PCDATA) > 


PCDATA) > 


= ( 
ERVICE (#PCDATA) > 


ESULT (#PCDATA) > 


O 
P 
S 
ENT FILTER OID (#PCDATA)> 
R 
R 


ESULT criterion CDATA #IMPLIED> 


ENT FILTER LAST SCAN DATE (#PCDATA)> 


IST FILTER LAST SCAN DATE criterion CDATA #IMPLIED> 


ENT FILTER LAST COMPLIANCE SCAN DATE (#PCDATA) > 


IST FILTER LAST COMPLIANCE SCAN DATE criterion CDATA #IMPLIED> 


ENT FILTER FIRST FOUND DATE (# PCDATA) > 


ENT FILTER DISPLAY AG TITLES PCDATA) > 


ENT FILTER OID WITH TEXT (#PCDATA) > 


ENT FILTER AZURE VM STATE (#PCDATA) > 


ENT TOTAL (#PCDATA) > 


HOST LIST --> 


ENT HOST LIST ((HOST| WARNING) *) > 


ENT HOST (ERROR | (IP, HOST TAGS?, TRACKING METHOD, 
CLOUD PROVIDER?, CLOUD SERVICE?, CLOUD RESOURCE ID?, 
STANCE ID?, NETBIOS?, OPERATING SYSTEM?, OS CPE?, QID LIST?, 


N 
SERVICE LIST?, ASSET GROUPS?, NETWORK?, LAST SCAN DATE?, 
COMPLIANCE SCAN DATE?, FIRST FOUND DATE?))> 


P (#PCDATA) > 


P network id CDATA #IMPLIED> 


OST TAGS (#PCDATA) > 


'OUD PROVIDER (#PCDATA) > 


'OUD SERVICE (#PCDATA) > 


T 
I 
H 
ENT DNS (#PCDATA) > 
Cc 
C 
Cc 


,OUD_RESOURCE ID (#PCDATA) > 


ENT EC2 INSTANCE ID (#PCDATA) > 
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ENT ETBIOS 


ENT 


pP 


ENT OS CPE 


ENT QI IST 


a 


D. 
ENT QID 


ERATING SYS7 
(#PCDA' 
(QID4 
ID, RESU 


(#PCDATA) > 


TEM 
[A) > 
> 


iT?)> 


(+ PCDATA) > 


L 
( 
E + 


ENT ID ( 


if format is se 
tab '\t' is the 
and new line 


m 


F 


ENT RESUL 


m 


IST RESUL 


format CDATA #IMP 


PCDATA) > 
t to 


Ari? 
(PC 


"table" --> 


col separator --> 


DATA) > 


1 


Gualys API (VM, PC) XML/DTD Reference 


is the end of row --> 


PORT 


[ SERVICE. 


IST (PO 


E+) > 


PORT 


S 


ERVIC 


PORT ( 


F 


SERVICE ( 


[ SERVICE 
PCDATA) > 
PCDATA) > 


(PORT, 


D 


EFAULT_ SERVIC 


F 


(#PCDATA) > 


422242422 


AST SCAN 


AST 


DAT 
TANCE 


= 
E 


E 


(#PCDATA) > 


TE, 
E 


[ COMP 


EMENT 


WARNING ( 


p 


p 


TLIS1 


FIRST FOUND DAI 


PCDAT 
WARNING number CDATA #IMPLII 


 SCAN DA'I 
[E (#PCDAI 


TA) > 


TA) > 


XPaths for Asset Search Report 


EFAULT S 


(# PCDATA) > 


E D> 


Chapter 5 - Assets XML 


XPath element specifications / notes 
/ASSET SEARCH REPORT (ERROR | (HEADER, HOST LIST?) 
/ASSET SEARCH REPORT/ERROR (#PCDATA) 


attribute: number 


An error message. 


An error code, when available. 


/ASSET SEARCH REPORT/ERROR/HEADER 
(REQUEST?, COMPANY, USERNAME, GENERATION_DATETIME, TOTAL?, 
FILTERS) 
/ASSET SEARCH REPORT/ERROR/HEADER/REQUEST 
(DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA?) 
/ASSET SEARCH REPORT/ERROR/HEADER/REQUEST/DATETIME (#PCDATA) 
The date and time of the request. 
/ASSET SEARCH REPORT/ERROR/HEADER/REQUEST/USER_LOGIN (#PCDATA) 
The login ID of the user who made the request. 
/ASSET SEARCH REPORT/ERROR/HEADER/REQUEST/RESOURCE (#PCDATA) 
The resource specified for the request. 
/ASSET SEARCH REPORT/ERROR/HEADER/REOUEST/PARAM LIST (PARAM+)) 
/ASSET SEARCH REPORT/ERROR/HEADER/REQUEST/PARAM_LIST/PARAM (KEY, VALUE)) 
/ASSET SEARCH REPORT/ERROR/HEADER/REQUEST/PARAM_LIST/PARAM/KEY  (#PCDATA) 
The input parameter name. 
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XPath element specifications / notes 

/ASSET SEARCH REPORT/ERROR/HEADER/REQUEST/PARAM_LIST/PARAM/VALUE  (#PCDATA) 
The input parameter value. 

/ASSET SEARCH REPORT/ERROR/HEADER/REOUEST/POST DATA — (4PCDATA) 

The POST data. 

/ASSET SEARCH REPORT/ERROR/HEADER/COMPANY (#PCDATA) 

The user’s company name as defined in the user’s account. 

/ASSET SEARCH REPORT/ERROR/HEADER/USERNAME (#PCDATA) 

The login ID of the user, who generated the asset search report. 

/ASSET SEARCH REPORT/ERROR/HEADER/GENERATION_DATETIME (#PCDATA) 

The date and time when the report was generated. 

/ASSET SEARCH REPORT/ERROR/HEADER/FILTERS 
(IP_LIST|ASSET_GROUPS|ASSET_TAGS|FILTER_DNS|FILTER_NETBIOS|FILTER 
_AZURE_VM_ID/TRACKING_METHOD|FILTER_OPERATING_SYSTEM|FILTER_ 
OS_CPE|FILTER_PORT|FILTER_SERVICE|FILTER_QID|FILTER_RESULT| 
FILTER_LAST_SCAN_DATE|FILTER_FIRST_FOUND_DATE|NETWORK| 
FILTER_DISPLAY_AG_TITLES|FILTER_QID_WITH_TEXT| 
FILTER_LAST_COMPLIANCE_SCAN_DATE|FILTER_LAST_SCAP_SCAN_DATE| 
FILTER_AZURE_VM_STATE) 

/ASSET SEARCH REPORT/ERROR/HEADER/FILTERS/IP_LIST (RANGE”) 

/ASSET SEARCH REPORT/ERROR/HEADER/FILTERS/IP_LIST/RANGE (START, END) 

/ASSET SEARCH REPORT/ERROR/HEADER/FILTERS/IP_LIST/RANGE/START (#PCDATA) 

When the asset search report includes user entered IPs, the start of an IP 
range 

/ASSET SEARCH REPORT/ERROR/HEADER/FILTERS/IP_LIST/RANGE/END (#PCDATA) 

When the asset search report includes user entered IPs, the end of an IP 
range 

/ASSET SEARCH REPORT/ERROR/HEADER/FILTERS/ASSET_GROUPS (ASSET_GROUP_TITLE+) 

/ASSET SEARCH REPORT/ERROR/HEADER/FILTERS/ASSET_GROUPS/ASSET_GROUP_TITLE (#PCDATA) 

An asset group title. 

/ASSET SEARCH REPORT/ERROR/HEADER/FILTERS/ASSET_GROUPS/NETWORK (#PCDATA) 
Restrict the request to a certain custom network ID. 

/ASSET SEARCH REPORT/ERROR/HEADER/FILTERS/ASSET_TAGS (INCLUDED. TAGS, EXCLUDED. TAGS?) 

/ASSET SEARCH REPORT/ERROR/HEADER/FILTERS/ASSET_TAGS/ INCLUDED TAGS (ASSET_TAG”) 

/ASSET SEARCH REPORT/ERROR/HEADER/FILTERS/ASSET_TAGS/ INCLUDED. TAGS 

attribute: scope The list of asset tags included in the report source. The scope “all” means 
hosts matching all tags; scope “any” means hosts matching at least one of 
the tags. 

/ASSET SEARCH REPORT/ERROR/HEADER/FILTERS/ASSET_TAGS/ EXCLUDED. TAGS (ASSET_TAG”) 

/ASSET SEARCH REPORT/ERROR/HEADER/FILTERS/ASSET. TAGS/ EXCLUDED. TAGS 


attribute: scope 


The list of asset tags excluded from the report source. The scope “all” 


means hosts matching all tags; scope “any” means hosts matching at least 


one of the tags. 


/ASSET SEARCH REPORT/ERROR/HEADER/FILTERS/ASSET. TAGS (#PCDATA) 
The asset tags selected for the report. 
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element specifications / notes 


/ASSET SEARCH 


REPORT/ERROR/HEADER/FILTERS/FILTER_DNS (#PCDATA) 
The DNS hostname. 


iterion criterion is deprecated. 


/ASSET SEARCH 


REPORT/ERROR/HEADER/FILTERS/FILTER_NETBIOS (#PCDATA) 
The NetBIOS hostname. 


iterion criterion is deprecated. 


REPORT/ERROR/HEADER/FILTERS/FILTER_AZURE_VM_ID (#PCDATA) 
The Azure VM ID of the host. 


REPORT/ERROR/HEADER/FILTERS/TRACKING_METHOD (#PCDATA) 


The tracking method for a host in a posture info record: IP, DNS, NETBIOS, 
EGZ 


REPORT/ERROR/HEADER/FILTERS/FILTER_OPERATING_SYSTEM (#PCDATA) 


he operating system on a host in a posture info record, when available. 


iterion criterion is deprecated. 


/ASSET SEARCH 


REPORT/ERROR/HEADER/FILTERS/FILTER_OS_CPE (#PCDATA) 


The OS CPE name assigned to the operating system detected on the host. 

The OS CPE name appears only when the OS CPE feature is enabled for the 
subscription, and an authenticated scan was run on this host after enabling 
this feature. 


REPORT/ERROR/HEADER/FILTERS/FILTER_PORT (#PCDATA) 


osts with the specified open ports. 


REPORT/ERROR/HEADER/FILTERS/FILTER_SERVICE (#PCDATA) 


osts that has the specified services running on it. 


REPORT/ERROR/HEADER/FILTERS/FILTER_QID (#PCDATA) 
The QID assigned to the asset. 


REPORT/ERROR/HEADER/FILTERS/FILTER_RESULT (#PCDATA) 


iterion criterion is deprecated. 


REPORT/ERROR/HEADER/FILTERS/FILTER_LAST_SCAN_DATE (#PCDATA) 


The date and time of the most recent vulnerability scan. 


iterion criterion is deprecated. 


/ASSET SEARCH 


REPORT/ERROR/HEADER/FILTERS/FILTER_LAST_COMPLIANCE_SCAN_DATE (#PCDATA) 


The date and time of the most recent compliance scan. 


iterion criterion is deprecated. 


REPORT/ERROR/HEADER/FILTERS/FILTER_FIRST_FOUND_DATE (#PCDATA) 


D 

The date when the asset was first detected. 
REPORT/ERROR/HEADER/FILTERS/FILTER_DISPLAY_AG_TITLES (#PCDATA) 
AssetGroup Titles for each host. 


Td 


REPORT/ERROR/HEADER/FILTERS/FILTER OID WITH. TEXT (#PCDATA) 


Vulnerabilities (OIDs) with the specified text in the KnowledgeBase 
applicable to the host. 


REPORT/ERROR/HEADER/FILTERS/FILTER. AZURE VM. STATE (#PCDATA) 


The Azure virtual machine state. Possible values are: STARTING, RUNNING, 
STOPPING, STOPPED, DEALLOCATING, DEALLOCATED, UNKNOWN. 
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XPath element specifications / notes 
/ASSET SEARCH T/ERROR/HEADER/TOTAL (#PCDATA) 
Total number of hosts in the asset search report. 
/ASSET SEARCH [/ERROR/HOST. LIST ((HOST|WARNING)*) 
/ASSET SEARCH T/ERROR/HOST_LIST/HOST 


(ERROR | (IP, HOST_TAGS?, TRACKING_METHOD,DNS?,CLOUD_PROVIDER?, 
CLOUD SERVICE?,CLOUD RESOURCE ID?, EC2_INSTANCE_ID?,NETBIOS?, 
OPERATING SYSTEM?, OS CPE?, OID LIST?, PORT SERVICE LIST?, 
ASSET_GROUPS?, NETWORK?, LAST SCAN DATE?, 

LAST. COMPLIANCE SCAN DATE?, FIRST. FOUND DATE?)) 


/ASSET SEARCH REPORT/ERROR/HOST_LIST/HOST IP (#PCDATA) 
The IP address for the host. 


attribute: network_id 


network_id is deprecated. 


/ASSET SEARCH ROR/HOST_LIST/HOST_TAGS (#PCDATA) 
All the tags associated with the host. 
/ASSET SEARCH ROR/HOST_LIST/DNS (#PCDATA) 
DNS hostname for the asset. For an EC2 asset this is the private DNS name. 
/ASSET SEARC R/HOST_LIST/CLOUD_PROVIDER (#PCDATA) 
Cloud provider of the asset. For example: (Azure, EC2, Google). 
/ASSET SEARC R/HOST_LIST/CLOUD_SERVICE (#PCDATA) 
Cloud service of the asset. For example: (VM for Azure, EC2 for AWS). 
/ASSET SEARCH ROR/HOST_LIST/CLOUD_RESOURCE_ID (#PCDATA) 
Cloud resource ID of the asset. 
/ASSET SEARCH ROR/HOST_LIST/EC2_INSTANCE_ID (#PCDATA) 
EC2 instance ID for the asset. 
/ASSET SEARCH ROR/HOST_LIST/NETBIOS (#PCDATA) 
NetBIOS hostname for the asset, when available. 
/ASSET SEARCH ROR/HOST_LIST/OPERATING_SYSTEM (#PCDATA) 
The operating system detected on the host. 
/ASSET SEARCH ROR/HOST_LIST/OS_CPE (#PCDATA) 
OS CPE name assigned to the operating system detected on the host. (The 
OS CPE name appears only when the OS CPE feature is enabled for the 
subscription, and an authenticated scan was run on this host after enabling 
this feature.) 
/ASSET SEARCH R HOST_LIST/QID_LIST (QID+) 
/ASSET SEARCH R HOST_LIST/QID_LIST/QID (ID, RESULT?) 
/ASSET SEARCH R ROR/HOST_LIST/QID_LIST/QID/ID (#PCDATA) 
The vulnerability QID (Qualys ID). 
/ASSET SEARC ROR/HOST_LIST/QID_LIST/QID/RESULT (#PCDATA) 
attribute: format format is deprecated. 
/ASSET SEARCH ROR/HOST_LIST/PORT_SERVICE_LIST (PORT_SERVICE+) 
/ASSET SEARC ROR/HOST_LIST/PORT_SERVICE_LIST/PORT_SERVICE 
(PORT, SERVICE, DEFAULT. SERVICE?) 
/ASSET SEARC ROR/HOST_LIST/PORT_SERVICE_LIST/PORT_SERVICE/PORT (#PCDATA) 
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XPath element specifications / notes 
Hosts that has the specified open ports. 
/ASSET SEARCH REPORT/ERROR/HOST LIST/PORT. SERVICE. LIST/PORT. SERVICE/SERVICE (#PCDATA) 
Hosts that has the specified services running on it. 
/ASSET SEARCH REPORT/ERROR/HOST. LIST/PORT. SERVICE LIST/PORT. SERVICE/DEFAULT. SERVICE 
(#PCDATA) 
Expected service to be running on the open ports 
/ASSET SEARCH REPORT/ERROR/HOST_LIST/PORT_SERVICE_LIST/PORT_SERVICE/LAST_SCAN_DATE 
(#PCDATA) 
The date and time of the most recent vulnerability scan. 
/ASSET SEARCH REPORT/ERROR/HOST_LIST/PORT_SERVICE_LIST/PORT_SERVICE/ 
LAST_COMPLIANCE_SCAN_DATE (#PCDATA) 
The date and time of the most recent compliance scan. 
/ASSET SEARCH REPORT/ERROR/HOST_LIST/PORT_SERVICE_LIST/PORT_SERVICE/FIRST_FOUND_DATE 
(#PCDATA) 
The date and time the host was first detected. 
/ASSET SEARCH REPORT/ERROR/HOST_LIST/WARNING (#PCDATA) 


A warning message. Atribute number is a warning code when available 


Network List Output 


API used 


<platform API server>/api/2.0/fo/network/?action=list 


DTD for Network List Output 


<platform API server>/network_list_output.dtd 


A recent DTD is shown below. 

<!-- QUALYS NETWORK LIST OUTPUT DTD --> 

<!ELEMENT NETWORK LIST OUTPUT (REQUEST?, RESPONSE) > 

<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 

<!ELEMENT DATETIME (#PCDATA) > 

<!ELEMENT USER LOGIN (#PCDATA) > 

<!ELEMENT RESOURCE (#PCDATA) > 

<!ELEMENT PARA | LIST (PARAM+) > 

<!ELEMENT PARA (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 

<!ELEMENT VALUE (#PCDATA) > 

<!-- if returned, POST DATA will be urlencoded --> 

<!ELEMENT POST DATA (#PCDATA) > 

<!ELEMENT RESPONSE (DATETIME, NETWORK LIST?) > 

<!ELEMENT NETWORK LIST (NETWORK+) > 

<!ELEMENT NETWORK (ID, NAME, SCANNER APPLIANCE LIST?) > 

<!ELEMENT ID (#PCDATA) > 

<!ELEMENT NAME (#PCDATA) > 

<!ELEMENT SCANNER AP PLIANCE LIST (SCANNER APPLIANCE+) > 
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<!ELEMENT SCANNER APPLIANCE (ID, FRIENDLY NAME) > 
<!ELEMENT FRIENDLY NAME (#PCDATA) > 
<!-- EOF --> 


XPaths for Network List Output 


XPath element specifications / notes 
/NETWORK_LIST_OUTPUT (REQUEST?, RESPONSE) 


/NETWORK_LIST_OUTPUT/REQUEST 
(DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA?) 
/NETWORK_LIST_OUTPUT/REQUEST/DATETIME (#PCDATA) 


The date and time of the request. 
/NETWORK_LIST_OUTPUT/REQUEST/USER_LOGIN (#PCDATA) 


The user login ID of the user who made the request. 
/NETWORK_LIST_OUTPUT/REQUEST/RESOURCE  (#PCDATA) 


The resource specified for the request. 
/NETWORK_LIST_OUTPUT/REQUEST/PARAM_LIST (PARAM+) 


/NETWORK_LIST_OUTPUT/REQUEST/PARAM_LIST/PARAM (KEY, VALUE) 


/NETWORK LIST OUTPUT/REOUEST/PARAM LIST/PARAM/KEY  (#PCDATA) 


un 


The input parameter name. 
/NETWORK LIST OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE — (4PCDATA) 


The input parameter value. 
/NETWORK LIST OUTPUT/REOUEST/POST DATA  (#PCDATA) 


he POST data. 
/NETWORK LIST. OUTPUT/RESPONSE (DA E ME, NETWORK LIST?) 
/NETWORK LIST. OUTPUT/RESPONSE/DATETIME (#PCDATA) 


The date and time of the response. 
/NETWORK_LIST_OUTPUT/RESPONSE/NETWORK_LIST (NETWORK+) 
/NETWORK_LIST_OUTPUT/RESPONSE/NETWORK_LIST/NETWORK 
(ID, NAME, SCANNER. APPLIANCE LIST?) 
(NETWORK LIST OUTPUT/RESPONSE/NETWORK LIST/NETWORK/ID (4PCDATA) 


The network ID. 


(NETWORK LIST OUTPUT/RESPONSE/NETWORK LIST/NETWORK/NAME (#PCDATA) 
The network name. 
(NETWORK LIST. OUTPUT/RESPONSE/NETWORK LIST/NETWORK/ 
SCANNER APPLIANCE LIST (SCANNER_APPLIANCE+) 
[NETWORK LIST. OUTPUT/RESPONSE/NETWORK LIST/NETWORK/ 
SCANNER APPLIANCE LIST/SCANNER APPLIANCE (ID, FRIENDLY. NAME) 
[NETWORK LIST. OUTPUT/RESPONSE/NETWORK LIST/NETWORK/ 
SCANNER APPLIANCE LIST/SCANNER APPLIANCE/ID (#PCDATA) 
The ID of a scanner appliance assigned to the network. 
/NETWORK_LIST_OUTPUT/RESPONSE/NETWORK_LIST/NETWORK/ 
SCANNER APPLIANCE LIST/SCANNER APPLIANCE/FRIENDLY NAME  (#PCDATA) 
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XPath element specifications / notes 
The name of a scanner appliance assigned to the network. 


Patch List Output 


API used 
<platform API server>/api/2.0/fo/asset/patch/index.php 


DTD for Patch List Output 
<platform API server>/api/2.0/fo/asset/patch/host_patches.dtd 


A recent DTD is shown below. 


<!-- QUALYS PATCH LIST OUTPUT DTD --> 

<!ELEMENT PATCH LIST OUTPUT (REQUEST?, RESPONSE) > 

<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 

<!ELEMENT DATETIME (#PCDATA) > 

<!ELEMENT USER LOGIN (#PCDATA) > 


A 
Zz 
ps) 


ESOURCE (#PCDATA) > 

<!ELEMENT PARAM LIST (PARAM+)> 

<!ELEMENT PARA (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 

<!ELEMENT VALUE (#PCDATA) > 

<!-- if returned, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 


ESPONSE (SUBSCRIPTION ID, HOST ID, IP, DNS, NETBIOS, OS, 


OS CPE, NE 


R 

T TWORK?, PATCH_INFO LIST)> 
<!ELEMENT SUBSCRIPTION ID (#PCDATA) > 
<!ELEMENT HOST ID (#PCDATA) > 
<!ELEMENT IP (#PCDATA) > 
<!ELEMENT DNS (#PCDATA) > 
<!ELEMENT NETBIOS (#PCDATA) > 
<!ELEMENT OS (#PCDATA) > 
<!ELEMENT OS CPE (#PCDATA) > 
<!ELEMENT NETWORK (#PCDATA) > 


<!ELEMENT PATCH INFO LIST (PATCH_INFO+) > 
<!ELEMENT PATCH INFO (DETECTION QIDS, PATCH OID, PATCH SEVERITY, 
E, PATCH VENDOR_ID, PATCH RELEASE DATE, PATCH LINKS? )> 
ETECTION QIDS (QID+)> 
<!ELEMENT QID (#PCDATA) > 
LIST QID cve_ids CDATA #IMP 
<!ELEMENT PATCH QID (#PCDATA) > 
<!ATTLIST PATCH QID cve ids CDATA #IMPLIED> 
<!ELEMENT PATCH SEVERITY (#PCDATA) > 
<!ELEMENT PATCH TITLE (#PCDATA) > 
<!ELEMENT PATCH VENDOR ID (#PCDATA) > 
<!ELEMENT PATCH RELEASE DATE (#PCDATA) > 
<!ELEMENT PATCH LINKS (LINK+)> 


IED> 
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<!ELEMENT LINK (EPCDATA) > 
<!ATTLIST LINK os sw CDATA #IMPLIED> 
<!-- EOF --> 


XPaths for Patch List Output 


Chapter 5 - Assets XML 


XPath element specifications / notes 
/PATCH_LIST_OUTPU (REQUEST?, RESPONSE) 
/PATCH_LIST_OUTPUT/REQUEST 
(DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA?) 
/PATCH LIST OUTPUT/REOUEST/DATETIME — (*PCDATA) 
The date and time of the request. 
/PATCH LIST OUTPUT/REOUEST/USER LOGIN (#PCDATA) 
The user login ID of the user who made the reguest. 
/PATCH_LIST_OUTPUT/REQUEST/RESOURCE — (*PCDATA) 
The resource specified for the request. 
/PATCH_LIST_OUTPUT/REQUEST/PARAM_LIST (PARAM+) 
/PATCH_LIST_O UT/REQUEST/PARAM_LIST/PARAM (KEY, VALUE) 
/PATCH LIST OUTPUT/REOUEST/PARAM LIST/PARAM/KEY  (#PCDATA) 
The input parameter name. 
/PATCH LIST OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE (#PCDATA) 
The input parameter value. 
/PATCH LIST. OUTPUT/REOUEST/POST. DATA  (*PCDATA) 
The POST data. 
(PATCH LIST. OUTPUT/RESPONSE 
(SUBSCRIPTION ID, HOST ID, IP, DNS, NETBIOS, OS, OS CPE, NETWORK?, 
PATCH INFO LIST?) 
/PATCH LIST. OUTPUT/RESPONSE/SUBSCRIPTION ID (#PCDATA) 
Id assigned to the subscription. 
/PATCH_LIST_OUTPUT/RESPONSE/HOST_ID — (#PCDATA) 
The host ID associated with the detection. 
/PATCH LIST OUTPUT/RESPONSE/IP (*PCDATA) 
The IP address of the host. 
/PATCH LIST OUTPUT/RESPONSE/DNS — (#PCDATA) 
DNS hostname for the host. 
/PATCH LIST OUTPUT/RESPONSE/NETBIOS  (#PCDATA) 
NetBIOS hostname for the asset. 
/PATCH LIST. OUTPUT/RESPONSE/OS  (#PCDATA) 
The operating system on a host. 
/PATCH LIST. OUTPUT/RESPONSE/OS CPE (#PCDATA) 


[The OS CPE name assigned to the operating system detected on the host. 


(The OS CPE name appears only when the OS CPE feature is enabled for the 
subscription, and an authenticated scan was run on this host after enabling 


this feature.) 
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XPath element specifications / notes 

/PATCH LIST OUTPUT/RESPONSE/NETWORK  (H*PCDATA) 

The network name. 

/PATCH LIST OUTPUT/RESPONSE/PATCH INFO LIST (DETECTION_QIDS, PATCH. OID, PATCH. SEVERITY, 
PATCH. TITLE, PATCH. VENDOR ID, PATCH RELEASE DATE, PATCH LINKS?) 


Patch information (detection QID, patch QID, patch severity, patch title, 
patch vendor, patch release date and patch links). 
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Chapter 6 - VM Reports XML 


This section covers report XML returned from VM Report API reguests. 
Report List Output 

Schedule Report List Output 

Scan Report Template Output 

PCI Scan Template Output 

Patch Template Output 

Map Template Output 

Map Report Output 

Patch Report (XML) Output 

VM Scan Report Output 


Report List Output 


API used 
<platform API server>/api/2.0/fo/report/?action=list 


DTD for Report List Output 
<platform API server>/api/2.0/fo/report/report list output.dtd 


A recent DTD is shown below. 


<!-- QUALYS REPORT LIST OUTPUT DID --> 

<!ELEMENT REPORT LIST OUTPUT (REOUEST?, RESPONSE) > 

<!ELEMENT REOUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 

<!ELEMENT DATETIME (#PCDATA) > 

<!ELEMENT USER LOGIN (#PCDATA) > 

<!ELEMENT RESOURCE (#PCDATA) > 

<!ELEMENT PARAM LIST (PARAM+) > 

<!ELEMENT PARAM (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 


<!ELEMENT VALUE (#PCDATA) > 
<!-- if returned, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 


<!ELEMENT RESPONSE (DATETIME, REPORT LIST?) > 
<!ELEMENT REPORT LIST (REPORT+) > 
<!ELEMENT REPORT (ID, TITLE, TYPE, USER LOGIN, LAUNCH DATETIME, 
OUTPUT FORMAT, SIZE, STATUS, EXPIRATION DATETIME) > 
<!ELEMENT ID (#PCDATA) > 
<!ELEMENT TITLE (#PCDATA) > 
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<!EL T CLIENT (ID, NAME) > 

<!ELEMENT TYPE (#PCDATA)> 

<!ELEMENT USER LOGIN (#PCDATA) > 
<!ELEMENT LAUNCH DATETIME (#PCDATA) > 
<!EL T OUTPUT FORMAT (#PCDATA) > 
<!ELEMENT SIZE (#PCDATA) > 

<!ELEMENT STATUS (STATE, MESSAGE?, 

<!EL T EXPIRATION DATETIME (#PCDATA) > 
<!EL T STATE (#PCDATA) > 

<!EL T MESSAGE (#PCDATA) > 

<!EL [ PERCENT (#PCDATA) > 

<!EL T EXPIRATION DATETIME (#PCDATA) > 
<!-- EOF --> 


XPaths for Report List Output 


Qualys API (VM, PC) XML/DTD Reference 


PERCENT?) > 


Chapter 6 - VM Reports XML 


XPath element specifications / notes 
/REPORT_LIST_OUTPU (REQUEST?, RESPONSE) 
/REPORT_LIST_OUTPUT/REQUEST 
(DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA?) 
/REPORT LIST OUTPUT/REOUEST/DATETIME  (#PCDATA) 
The date and time of the request. 
/REPORT LIST OUTPUT/REOUEST/USER LOGIN (#PCDATA) 
The user login ID of the user who made the reguest. 
/REPORT LIST OUTPUT/REOUEST/RESOURCE — (4PCDATA) 
The resource specified for the reguest. 
(REPORT LIST OUTPUT/REOUEST/PARAM LIST (PARAM+) 
/REPORT LIST OUTPUT/REOUEST/PARAM LIST/PARAM (KEY, VALUE) 
(REPORT LIST OUTPUT/REOUEST/PARAM LIST/PARAM/KEY (#PCDATA) 
The input parameter name. 
/REPORT LIST OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE  (#PCDATA) 
The input parameter value. 
/REPORT LIST OUTPUT/REOUEST/POST DATA — (4PCDATA) 
The POST data, if any. 
(REPORT. LIST. OUTPUT/RESPONSE 
(DATETIME, REPORT. LIST?) 
(REPORT. LIST OUTPUT/RESPONSE/REPORT LIST  (REPORT+) 
/REPORT LIST OUTPUT/RESPONSE/REPORT. LIST/REPOR 
(ID, TITLE, TYPE, USER LOGIN, LAUNCH_DATETIME, OUTPUT. FORMAT, 
SIZE, STATUS, EXPIRATION. DATETIME) 
(REPORT LIST OUTPUT/RESPONSE/REPORT LIST/REPORT/ID  (#PCDATA) 
The report ID ofthe report. 
(REPORT LIST OUTPUT/RESPONSE/REPORT LIST/REPORT/TITLE (#PCDATA) 


The report title. 
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/RESPONSE/SCAN LIST/SCAN/CLIEN'I 


/RESPONSE/SCAN_LIST/SCAN/CLIENT 


[/ID (PCDATA) 


only for Consultant type subscriptions) 


Id assigned to the client. ( 


/RESPONSE/SCAN_LIST/SCAN/CLIENT 


T /NAME (#PCDATA) 


for Consultant type subscriptions) 


( 


f the client. (only 


ESPONSE/REPORT /REPORT/TYPE 


(4PCDATA) 


: Map, Scan, Compliance, Remediation, Scorecard, WAS, 
n Scorecard, or Patch. 


ESPONSE/REPORT 


(USER LOGIN (#PCDATA) 


user who launched the report. 


/LAUNCH_DATETIME (#PCDATA) 


when the report was launched. 


/OUTPUT. FORMAT (#PCDATA) 
t format: HTML, XML, PDF, MHT, CSV, or Online (for Qualys 


m 


(4PCDATA) 


US/STATE — (*PCDATA) 


ished, Canceled or Errors. 


US/MESSAGE — (*PCDATA) 


US/PERCENT (#PCDATA) 


the percentage complete. 


RT/EXPIRATION DATETIME — (*PCDATA) 


t expiration date and time. 
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Schedule Report List Output 


API used 
<platform API server>/api/2.0/fo/schedule/report/?action=list 


DTD for Schedule Report List Output 
<platform API server>/api/2.0/fo/schedule/report/schedule_report_list_output.dtd 


A recent DTD is shown below. 


<!-- QUALYS SCHEDULE REPORT LIST OUTPUT DTD --> 


<!ELEMENT SCHEDULE REPORT LIST OUTPUT (REQUEST?, RESPONSE) > 


<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 

POST DATA?) > 

<!ELEMENT DATETIME (#PCDATA) > 

<!ELEMENT USER LOGIN (#PCDATA) > 

<!ELEMENT RESOURCE (#PCDATA) > 

<!ELEMENT PARAM LIST (PARAM+) > 

<!ELEMENT PARAM (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 
M 
i 


<!ELEMENT VALUE (#PCDATA) > 
<!-- if returned, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 


<!ELEMENT RESPONSE (DATETIME, SCHEDULE REPORT LIST?) > 
<!ELEMENT SCHEDULE REPORT LIST (REPORT+) > 
<!ELEMENT REPORT (ID, TITLE?, OUTPUT FORMAT, TEMPLATE TITLE?, 
ACTIVE, SCHEDULE) > 

<!ELEMENT ID (#PCDATA) > 
<!ELEMENT TITLE (#PCDATA) > 
<!ELEMENT OUTPUT FORMAT (#PCDATA) > 
<!ELEMENT TEMPLATE TITLE (#PCDATA) > 
<!ELEMENT ACTIVE (#PCDATA) > 


ys) 


ei te te! E 


<!ELEMENT SCHEDULE ((DAILY|WEEKLY|MONTHLY), START DATE UTC, 
START HOUR, START MINUTE, TIME ZONE, 


DST SELECTED, MAX OCCURRENCE?) > 
PTY> 


ci 


Tj 


<!ELEMENT DAILY 
<!ATTLIST DAILY 
frequency days CDATA #REQUIRED> 


<!-- weekdays is comma-separated list of weekdays e.g. 0,1,4,5 --> 
<!ELEMENT WEEKLY EMPTY> 
<!ATTLIST WEEKLY 

frequency_weeks CDATA #REQUIRED 

weekdays CDATA #REQUIRED> 


<!-- either day of month, or (day of week and week of month) must be 
provided --> 
<!ELEMENT MONTHLY EMPTY> 
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<!ATTLIST MONTHLY 
frequency months CDATA #REQUIRED 
day of month CDATA #IMPLIED 
day of week (0/1/2|/3/4|5|6) #IMPLIED 
week of month (1/2/3|4|/5) #IMPLIED> 


<!-- start date of the task in UTC --> 
<!ELEMENT START DATE UTC (#PCDATA) > 
<!-- User Selected hour --> 

<!ELEMENT START HOUR (#PCDATA) > 

<!-- User Selected Minute --> 
<!ELEMENT START MINUTE (#PCDATA) > 
<!ELEMENT TIME ZONE (TI E ZONE CODE, TIME ZONE 


is) 


ETAILS) > 


<!-- timezone code like US-CA --> 
<!ELEMENT TIME ZONE CODE (#PCDATA) > 


<!-- timezone details like (GMT-0800) United States (California): Los 
Angeles, Sacramento, San Diego, San Francisco--> 
<!ELEMENT TIME ZONE DETAILS (#PCDATA) > 


<!-- Did user select DST? O-not selected 1-selected --> 
<!ELEMENT DST SELECTED (#PCDATA) > 
<!ELEMENT MAX OCCURRENCE (#PCDATA) > 


T 


<!-- EOF --> 


XPaths for Schedule Report List Output 


XPath element specifications / notes 

/SCHEDULE_REPORT_LIST_OUTPU 
(REQUEST?, RESPONSE 

/SCHEDULE_REPORT_LIST_OUTPUT/REQUEST 
(DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA?) 

/SCHEDULE_REPORT_LIST_OUTPUT/REQUEST/DATETIME  (#PCDATA) 

The date and time of the request. 

/SCHEDULE_REPORT_LIST_OUTPUT/REQUEST/DATETIME  (#PCDATA) 

The date and time of the request. 

/SCHEDULE_REPORT_LIST_OUTPUT/REQUEST/USER_LOGIN (#PCDATA) 

he user login ID of the user who made the request. 

DULE_REPORT_LIST_OUTPUT/REQUEST/RESOURCE (#PCDATA) 


/SC 


m 


he resource specified for the reguest. 


/SCHEDULE REPORT. LIST OUTPUT/REOUEST/PARAM LIST (PARAM+) 
/SCHEDULE REPORT LIST OUTPUT/REOUEST/PARAM LIST/PARAM (KEY, VALUE) 
/SCHEDULE REPORT LIST OUTPUT/REOUEST/PARAM LIST/PARAM/KEY — (4PCDATA) 


The input parameter name. 
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XPath element specifications / notes 
/SCHEDULE REPORT LIST OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE — (*PCDATA) 


The input parameter value. 
REPORT. LIST OUTPUT/REOUEST/POST. DATA (#PCDATA) 


SS 
(96) 
Ri 


EDUL 


m 


The POST data, if any. 
/SCHEDULE. REPORT. LIST. OUTPUT/RESPONSE 

(DATETIME, SCHEDULE REPORT LIST? 

/SCHEDULE. REPORT. LIST. OUTPUT/RESPONSE/SCHEDULE REPORT. LIS (REPORT+) 
/SCHEDULE_REPORT_LIST_OUTPUT/RESPONSE/SCHEDULE_REPORT_LIST/REPOR 

(ID, TITLE?, OUTPUT_FORMAT, TEMPLATE_TITLE?, ACTIVE, SCHEDULE) 
/SCHEDULE_REPORT_LIST_OUTPUT/RESPONSE/SCHEDULE_REPORT_LIST/REPORT/ID (#PCDATA) 

The report ID of the report. 
/SCHEDULE_REPORT_LIST_OUTPUT/RESPONSE/SCHEDULE_REPORT_LIST/REPORT/TITLE (#PCDATA) 

The report title. 
/SCHEDULE_REPORT_LIST_OUTPUT/RESPONSE/SCHEDULE_REPORT_LIST/REPORT/OUTPUT_FORMAT 
(#PCDATA) 

The report format. 
/SCHEDULE_REPORT_LIST_OUTPUT/RESPONSE/SCHEDULE_REPORT_LIST/REPORT/TEMPLATE_TITLE 
(#PCDATA) 

The report template title. 
/SCHEDULE_REPORT_LIST_OUTPUT/RESPONSE/SCHEDULE_REPORT_LIST/REPORT/ACTIVE (#PCDATA) 

for an active schedule, or 0 for a deactivated schedule. 
/SCHEDULE_REPORT_LIST_OUTPUT/RESPONSE/SCHEDULE_REPORT_LIST/REPORT/SCHEDULE 


(DAILY|WEEKLY|MONTHLY), START_DATE_UTC, START_HOUR, 
START_MINUTE, TIME_ZONE, DST_SELECTED, MAX_OCCURRENCE?) 


/SCHEDULE_REPORT_LIST_OUTPUT/RESPONSE/SCHEDULE_REPORT_LIST/REPORT/SCHEDULE/DAILY 


attribute: frequency_days frequency_days is required for a report that runs after some number of days 
(from 1 to 365) 


REPORT_LIST_OUTPUT/RESPONSE/SCHEDULE_REPORT_LIST/REPORT/SCHEDULE/WEEKLY 


/SCHEDUL 


attribute: frequency_weeks frequency_weeks is required for a report that runs after some number of 
weeks (from 1 to 52) 


mi 


attribute: weekdays weekdays is required for a report that runs after some number of weeks on a 
particular weekday (from 0 to 6), where 0 is Sunday and 6 is Saturday, 
multiple weekdays are comma separated 


REPORT LIST OUTPUT/RESPONSE/SCHEDULE. REPORT. LIST/REPORT/SCHEDULE/ 


/SCHEDUL 
MONTHLY 


m 


attribute: freguency months freguency. months is required for a report that runs after some number of 
months (from 1 to 12) 


attribute: day. of month day. of months implied and, if present, indicates the report runs on the Nth 
day of the month (from 1 to 31) 


attribute: day. of week day of weekis implied and, if present, indicates the report runs on the Nth 
day of the month on a particular weekday (from 0 to 6), where 0 is 
Sunday and 6 is Saturday 
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attribute: week. of month 
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element specifications / notes 
week of month is implied and, if present, indicates the report runs on the 


Nth day of the month on the Nth week of the month (from 1 to 5), 

where 1 is the first week of the month and 5 is the fifth week of the 

month 
/SCHEDULE_REPORT_LIST_OUTPUT/RESPONSE/SCHEDULE_REPORT_LIST/REPORT/SCHEDULE 
START_DATE_UTC (#PCDATA) 

The start date (in UTC format) defined for the report schedule 
/SCHEDULE_REPORT_LIST_OUTPUT/RESPONSE/SCHEDULE_REPORT_LIST/REPORT/SCHEDULE 
START_HOUR (#PCDATA) 

The start hour defined for the report schedule. 
/SCHEDULE_REPORT_LIST_OUTPUT/RESPONSE/SCHEDULE_REPORT_LIST/REPORT/SCHEDULE, 

START MINUTE (4PCDATA) 

The start minute defined for the report schedule. 

/SCHEDULE REPORT LIST OUTPUT/RESPONSE/SCHEDULE. REPORT. LIST/REPORT/SCHEDULE 
TIME ZONE TIME ZONE CODE, TIME. ZONE. DETAILS 

SC PORT_LIST_OUTPUT/RESPONSE/SCHEDULE_REPORT_LIST/REPORT/SCHEDULE 
TIME TIME_ZONE_CODE (#PCDATA) 

The time zone code defined for the report schedule. For example: US-CA. 
/SCHEDULE_REPORT_LIST_OUTPUT/RESPONSE/SCHEDULE_REPORT_LIST/REPORT/SCHEDULE/ 
TIME_ZONE/TIME_ZONE_DETAILS (#PCDATA) 

The time zone details (description) for the local time zone, identified in the 

<TIME_ZONE_CODE> element. For example:, (GMT-0800) United States 

(California): Los Angeles, Sacramento, San Diego, San Francisco. 
/SCHEDULE_REPORT_LIST_OUTPUT/RESPONSE/SCHEDULE_REPORT_LIST/REPORT/SCHEDULE/ 
DST_SELECTED (#PCDATA) 

When set to 1, Daylight Saving Time (DST) is enabled for the report 

schedule. 
/SCHEDULE_REPORT_LIST_OUTPUT/RESPONSE/SCHEDULE_REPORT_LIST/REPORT/SCHEDULE/ 


MAX OCCURRENCE (#PCDATA) 


The number of times the report schedule will be run before it is deactivated 


(from 1 to 99). 
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Scan Report Template Output 
API used 


<platform API server>/api/2.0/fo/report/template/scan/?action=export 


DTD for Scan Report Template Output 
<platform API server>/api/2.0/fo/report/template/scan/scanreporttemplate info.dtd 


A recent DTD is shown below. 


<!-- QUALYS REPORT SCAN TEMPLATE OUTPUT DTD --> 
<!ELEMENT REPORTTEMPLATE (SCANTEMPLATE) *> 
<!ELEMENT SCANTEMPLATE 
(TITLE | TARGET | DISPLAY | FILTER| SERVICESPORTS | USERACCESS ) *> 
<!ELEMENT TITLE (INFO) *> 

<!ELEMENT INFO (#PCDATA) > 

<!ATTLIST I 

key CDATA #REQUIRED> 
<!ELEMENT TARGET (INFO) *> 
<!ELEMENT DISPLAY (INFO) *> 
<!ELEMENT FILTER (INFO) *> 
<!ELEMENT SERVICESPORTS (INFO) *> 
<!ELEMENT USERACCESS (INFO) *> 
<!-- EOF --> 


XPaths for Scan Report Template Output 


XPath element specifications / notes 

/REPORT_SCAN_TEMPLATE_OUTPU 

/REPORT_SCAN_TEMPLATE_OUTPUT/REPORTTEMPLATE 

/REPORT_SCAN_TEMPLATE_OUTPUT/REPORTTEMPLATE/SCANTEMPLATE 
(TITLE|TARGET|DISPLAY|FILTER|SERVICESPORTS|USERACCESS) 

/REPORT_SCAN_TEMPLATE_OUTPUT/REPO EMPLATE/SCANTEMPLATE/TITLE 

/REPORT_SCAN_TEMPLATE_OUTPUT/REPO EMPLATE/SCANTEMPLATE/TITLE/INFO (#PCDATA) 


R 

R 

The template title and owner. 

[REPORT SCAN TEMPLATE OUTPUT/REPORTTEMPLATE/SCANTEMPLATE/TARGE 
(REPORT. SCAN. TEMPLATE OUTPUT/REPORTTEMPLATE/SCANTEMPLATE/TARGET/INFO (#PCDATA) 
The target assets to include in the report. 

/REPORT. SCAN TEMPLATE. OUTPUT/REPORTTEMPLATE/SCANTEMPLATE/DISPLAY 

(REPORT. SCAN. TEMPLATE. OUTPUT/REPORTTEMPLATE/SCANTEMPLATE/DISPLAY/INFO (#PCDATA) 
Display options such as graphs amount of detail. 

/REPORT SCAN TEMPLATE OUTPUT/REPORTTEMPLATE/SCANTEMPLATE/FILTER 
/REPORT. SCAN. TEMPLATE. OUTPUT/REPORTTEMPLATE/SCANTEMPLATE/FILTER/INFO (#PCDATA) 
Filter options such as vulnerability status, categories, QIDs, and OS. 
/REPORT_SCAN_TEMPLATE_OUTPUT/REPORTTEMPLATE/SCANTEMPLATE/SERVICESPORTS 
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element specifications / notes 


/REPORT. SCAN TEMPLATE OUTPUT/RE 


INFO (4PCDATA) 


Service 


s and ports to include in report. 


PORTTEMPLATE/SCANTEMPLATE/SERVICESPORTS/ 


/REPORT_SCAN_ 


EMPLATE_OU 


PUT/RE 


PORTTEMPLATE/SCANTEMPLATE/USERACCESS 


/REPORT_SCAN 
INFO (#PCDATA) 


EMPLATE_OU 


PUT/RE 


Contro 


PORTTEMPLATE/SCANTEMPLATE/USERACCESS/ 


user access to template and reports generated from the template. 
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<platform API server>/api/2.0/fo/report/template/pciscan/?action=export 


DTD for PCI Scan Template Output 


<platform API server>/api/2.0/fo/report/template/pci 


A recent DTD is shown below. 


scan/pciscanreporttemplate_info.dtd 


<!ELEMENT REPORTTEMPLATE 


PCISCANTEMPLATE 


) *> 


<!ELEMENT PCISCANTEMPLATE 


(TITLE | TARGET | DISPLAY | FILTER| SERVICESPORTS | USERACCESS | PCIRISKRANKING) *> 


<!ELEMENT TITLE (INFO) *> 
<!ELEMENT INFO (#PCDATA) > 
<!ATTLIST INFO 
key CDATA #REQUIRED> 
<!ELEMENT TARGET (INFO) *> 
<!ELEMENT DISPLAY (INFO) *> 


<!ELEMENT FILTER (INFO) *> 
<!ELEMENT SERVICESPORTS (INFO) *> 
<!ELEMENT USERACCESS (INFO) *> 
<!ELEMENT PCIRISKRANKING (INFO) *> 


XPaths for PCI Scan Template Output 


XPath element specifications / notes 


/REPORT_PCISCAN_TEMPLATE_OUTPU 


/REPORT_PCISCAN_TEMPLATE_OUTPUT/REPORTTEMPLATE 


/REPORT_PCISCAN_TEMPLATE_OUTPUT/REPORTTEMPLATE/PCISCANTEMPLATE 
(TITLE|TARGET|DISPLAY|FILTER|SERVICESPORTS|USERACCESS|PCIRISKRAN 


The template title and owner. 


KING) 
/REPORT_PCISCAN_TEMPLATE_OUTPUT/REPORTTEMPLATE/PCISCANTEMPLATE/TITLE 
/REPORT_PCISCAN_TEMPLATE_OUTPUT/REPORTTEMPLATE/PCISCANTEMPLATE/TITLE/ 


J 
O 
y 
O 
Dm 
O 
> 
Z 
ri 
z 
D 


LAT 


mi 
© 
E 
hg] 
£ 
BS 
Es 
mi 
y 
O 
La 
< 
TJ 


LATE/PCISCANTEMPLATE/TARGET 


m 


The target assets to include in the report. 


PORT. PCISCAN, TEMPLATE OUTPUT/REPORTTEMPLATE/PCISCANTEMPLATE/TARGET/ 


m 


EPORT. PCISCAN. TEMPLATE OUTPUT/REPORTTEMPLATE/PCISCANTEMPLATE/DISPLAY 


PORT. PCISCAN. TEMPLATE. OUTPUT/REPORTTEMPLATE/PCISCANTEMPLATE/DISPLAY/ 


Display options such as graphs amount of detail. 


(REPORT. PCISCAN. TEMPLA 


mi 
© 
G 
HU 
ye 

== 
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REPORTTEMPLATE/PCISCANTEMPLATE/FILTER 
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XPath element specifications / notes 
/REPORT. PCISCAN. TEMPLATE, OUTPUT/REPORTTEMPLATE/PCISCANTEMPLATE/FILTER/ 
INFO (#PCDATA) 

Filter options such as vulnerability status, categories, QIDs, and OS. 
[REPORT PCISCAN. TEMPLATE, OUTPUT/REPORTTEMPLATE/PCISCANTEMPLATE/SERVICESPORTS 
/REPORT. PCISCAN. TEMPLATE. OUTPUT/REPORTTEMPLATE/PCISCANTEMPLATE/SERVICESPORTS/ 
INFO (#PCDATA) 

Services and ports to include in report. 
[REPORT PCISCAN. TEMPLATE. OUTPUT/REPORTTEMPLATE/PCISCANTEMPLATE/USERACCESS 
[REPORT PCISCAN. TEMPLATE, OUTPUT/REPORTTEMPLATE/PCISCANTEMPLATE/USERACCESS/ 
INFO (#PCDATA) 

Control user access to template and reports generated from the template. 


(REPORT. PCISCAN. TEMPLATE OUTPUT/REPORTTEMPLATE/PCISCANTEMPLATE/PCIRISKRANKING 
O 


/REPORT. PCISCAN. TEMPLATE. OUTPUT/REPORTTEMPLATE/PCISCANTEMPLATE/PCIRISKRANKING/INFO 
(#PCDATA) 


Configure PCI Risk Ranking. 
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Patch Template Output 


API used 
<platform API server>/api/2.0/fo/report/template/patch/?action=export 


DTD for Patch Template Output 
<platform API server>/api/2.0/fo/report/template/patch/patchreporttemplate info.dtd 


A recent DTD is shown below. 


<!ELEMENT REPORTTEMPLATE (PATCHTEMPLATE) *> 

<!ELEMENT PATCHTEMPLATE (TITLE|TARGET|DISPLAY|FILTER|USERACCESS)*> 

<!ELEMENT TITLE (INFO) *> 
N 
S 


T 


<!EL T INFO (#PCDATA) > 
<!ATTLIST INFO 

key CDATA #REQUIRED> 
<!EL NT TARGET (INFO) *> 
<!EL NT DISPLAY (INFO) *> 
<!ELEMENT FILTER (INFO) *> 
<!ELEMENT USERACCESS (INFO) *> 


XPaths for Patch Template Output 


XPath element specifications / notes 
/REPORT_PATCH_TEMPLATE_OUTPU 
/REPORT_PATCH_TEMPLATE_OUTPUT/REPORTTEMPLATE 
/REPORT_PATCH_TEMPLATE_OUTPUT/REPORTTEMPLATE/PATCHTEMPLATE 
(TITLE[TARGET|DISPLAY|FILTER|USERACCESS) 
/REPORT_PATCH_TEMPLATE_OUTPUT/REPORTTEMPLATE/PATCHTEMPLATE/TITLE 
/REPORT_PATCH_TEMPLATE_OUTPUT/REPORTTEMPLATE/PATCHTEMPLATE/TITLE/INFO (#PCDATA) 
The template title and owner. 
/REPORT_PATCH_TEMPLATE_OUTPUT/REPORTTEMPLATE/PATCHTEMPLATE/TARGET 
/REPORT_PATCH_TEMPLATE_OUTPUT/REPORTTEMPLATE/PATCHTEMPLATE/TARGET/INFO (#PCDATA) 
The target assets to include in the report. 
/REPORT_PATCH_TEMPLATE_OUTPUT/REPORTTEMPLATE/PATCHTEMPLATE/DISPLAY 
/REPORT_PATCH_TEMPLATE_OUTPUT/REPORTTEMPLATE/PATCHTEMPLATE/DISPLAY/INFO (#PCDATA) 
Display options to include in the report. 
/REPORT_PATCH_TEMPLATE_OUTPUT/REPORTTEMPLATE/PATCHTEMPLATE/FILTER 
/REPORT_PATCH_TEMPLATE_OUTPUT/REPORTTEMPLATE/PATCHTEMPLATE/FILTER/INFO (#PCDATA) 
Filter options such as vulnerabilities, QIDs, patches. 
/REPORT_PATCH_TEMPLATE_OUTPUT/REPORTTEMPLATE/PATCHTEMPLATE/USERACCESS 
/REPORT_PATC EMPLATE_OUTPUT/REPORTTEMPLATE/PATCHTEMPLATE/USERACCESS/ 


INFO (#PCDATA) — 


Control user access to template and reports generated from the template. 
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Map Template Output 
API used 


<platform API server>/api/2.0/fo/report/template/map/?action=export 


DTD for Map Template Output 
<platform API server>/api/2.0/fo/report/template/map/mapreporttemplate info.dtd 


A recent DTD is shown below. 


<!ELEMENT REPORTTEMPLATE (MAPTEMPLATE) *> 

<!ELEMENT MAPTEMPLATE (TITLE| DISPLAY | FILTER |OPERATINGSYSTEM) *> 

<!ELEMENT TITLE (INFO) *> 
N 
S 


<!EL T INFO (#PCDATA) > 
<!ATTLIST INFO 
key CDATA #REQUIRED> 
<!ELEMENT DISPLAY (INFO) *> 
<!ELEMENT FILTER (INFO) *> 
<!ELEMENT OPERATINGSYSTEM (INFO) *> 


XPaths for Map Template Output 


XPath element specifications / notes 
/REPORT MAP TEMPLATE O 
/REPORT MAP TEMPLATE OUTP 
/REPORT. MAP TEMPLATE O 


EMPLATE 
/REPORTTEMPLATE/MAPTEMPLATE 
LAY|FILTERJOPERATINGSYSTEM) 
/REPORTTEMPLATE/MAPTEMPLATE/TITLE 
/REPORTTEMPLATE/MAPTEMPLATE/TITLE/INFO (#PCDATA) 
te title and owner. 
/REPORT. MAP TEMPLATE, O /REPORTTEMPLATE/MAPTEMPLATE/DISPLAY 
(REPORT. MAP TEMPLATE OUTPUT/REPORTTEMPLATE/MAPTEMPLATE/DISPLAY/INFO (#PCDATA) 


Display options to include in the report. 


S S| S 
= 
a] 

T 

U 
O 
Es) 


a 
3 
= 
4 
= 
dag) 
U 
(72) 
Y 


/REPORT. MAP. TEMPLATE 
/REPORT. MAP TEMPLATE 


sl El € 
> 
oO 
(0) 
3 
Ye, 
[aP] 


/REPORT. MAP TEMPLATE. OUTPUT/REPORTTEMPLATE/MAPTEMPLATE/FILTER 

/REPORT MAP TEMPLATE OUTPUT/REPORTTEMPLATE/MAPTEMPLATE/FILTER/INFO (#PCDATA) 
Filter options such as vulnerabilities, OIDs, MAPes. 

/REPORT. MAP TEMPLATE, OUTPUT/REPORTTEMPLATE/MAPTEMPLATE/OPERATINGSYSTEM 

/REPORT. MAP TEMPLATE. OUTPUT/REPORTTEMPLATE/MAPTEMPLATE/OPERATINGSYSTEM/ 


INFO (4 PCDATA 


The selected operating system. 
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Map Report Output 


API used 
<platform API server>/api/2.0/fo/report/?action=fetch 
<platform API server>/msp/map_report.php 


DTD for Map Report Output 
<platform API server>/map.dtd 


A recent DTD is shown below. 


<?xml version="1.0" encoding="UTF-8"?> 

<!-- QUALYS MAP REPORT DTD --> 

<!ELEMENT MAPREPORT (HEADER, HOST LIST) > 

<!ELEMENT HEADER (DOMAIN, NETWORK?, USERNAME, REPORT TEMPLATE, 
REPORT TITLE, RESTRICTED IPS?, MAP RESULT LIST, NETWORK?) > 
<!ELEMENT DOMAIN (#PCDATA) > 

<!ELEMENT NETWORK (#PCDATA) > 

<!ELEMENT USERNAME (#PCDATA) > 

<!ELEMENT REPORT TEMPLATE PCDATA) > 

<!ELEMENT REPORT TITLE (#PCDATA) > 


<!ELEMENT RESTRICTED IPS (#PCDATA) > 

<!ELEMENT MAP RESULT LIST (MAP _RESULT+) > 

<!ELEMENT MAP RESULT (MAP RESULT TITLE, MAP DATE, OPTION PROFILE, 

MAP REFERENCE) > 

<!ELEMENT MAP RESULT TITLE (#PCDATA) > 

<!ELEMENT MAP DATE (#PCDATA) > 

<!ELEMENT OPTION PROFILE (#PCDATA) > 

<!ELEMENT MAP REFERENCE (#PCDATA) > 

<!ELEMENT HOST LIST (HOST+)> 

<!ELEMENT HOST (IP, HOSTNAME, NETBIOS, ROUTER, OS, APPROVED?, SCANNABLE?, 


E 
IN NETBLOCK?, LIVE?, DISCOVERY LIST?, ASSET GROUPS?, 
TICATION RECORDS?, HOST STATUS?, LAST SCAN DATE?)> 


N 
A 


T IP (#PCDATA) > 

<!ATTLIST IP network id CDATA #IMPLIED> 

<!ELEMENT HOSTNAME (#PCDATA) > 

<!ELEMENT NETBIOS (#PCDATA) > 

<!ELEMENT R (t PCDATA) > 

<!ELEMENT OS (#PCDATA) > 
A D 
S 


(#PCDATA)> 

: CANNABLE (#PCDATA) > 

<!ELEMENT IN NETBLOCK (#PCDATA) > 

<!ELEMENT LIVE (#PCDATA) > 

<!ELEMENT DISCOVERY LIST (DISCOVERY*) > 
<!ELEMENT DISCOVERY (DISCOVERY NAME*, PORT*) > 
<!ELEMENT DISCOVERY NAME (#PCDATA) > 

<!ELEMENT PORT (#PCDATA) > 
<!ELEMENT ASSET GROUPS (AG NAME*) > 
<!ELEMENT AG NAME (#PCDATA) > 
<!ELEMENT AUTHENTICATION RECORDS (AUTHENTICATION* ) > 
<!ELEMENT AUTHENTICATION (#PCDATA) > 
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<!ELEMENT HOST STATUS (#PCDATA)> 
<!ELEMENT LAST SCAN DATE (#PCDATA) > 


XPaths for Map Report Output 


XPath element specifications / notes 
/MAPREPORT (HEADER, HOST_LIST) 


/MAPREPORT/HEADER 


(DOMAIN, NETWORK?, USERNAME, REPORT_TEMPLATE, REPORT_TITLE, 
RESTRICTED_IPS?, MAP_RESULT_LIST, NETWORK?) 


/MAPREPORT/HEADER/DOMAIN — (#PCDATA) 


Target domain name for the map report. 
/MAPREPORT/HEADER/NETWORK  (#PCDATA) 


Target network if any for the map report. 
/MAPREPORT/HEADER/USERNAME, (#PCDATA) 


Username who fetched the map report. 
/MAPREPORT/HEADER/REPOR EMPLATE — (*PCDATA) 


Report template used to run the map report. 
/MAPREPORT/HEADER/REPOR TLE (#PCDATA) 


litle of the map report. 
/MAPREPORT/HEADER/RESTRICTED_IPS (#PCDATA) 


IPs selected for inclusion in the map report. 
/MAPREPORT/HEADER/MAP_RESULT_LIST (MAP_RESULT+ 
/MAPREPORT/HEADER/MAP_RESULT_LIST/MAP_RESULT (MAP_RESULT+) 


/MAPREPORT/HEADER/MAP_RESULT_LIST/MAP_RESULT 
(MAP_RESULT_TITLE, MAP_DATE, OPTION_PROFILE, MAP_REFERENCE) 


/MAPREPORT/HEADER/MAP_RESULT_LIST/MAP_RESULT/MAP_RESULT_TITLE #PCDATA 


Title of the map task/result. 
/MAPREPORT/HEADER/MAP_RESULT_LIST/MAP_RESULT/MAP_DATE (#PCDATA) 


Date when the map was launched. 
/MAPREPORT/HEADER/MAP_RESULT_LIST/MAP_RESULT/OPTION_PROFILE (4PCDATA) 


Option profile used to run the map. 
/MAPREPORT/HEADER/MAP_RESULT_LIST/MAP_RESULT/MAP_REFERENCE (#PCDATA) 


Map reference code. 
/MAPREPORT/HOST_LIST (HOST+ 
/MAPREPORT/HOST_LIST/HOST 


(IP, HOSTNAME, NETBIOS, ROUTER, OS, APPROVED?, SCANNABLE?, 
IN NETBLOCK?, LIVE?, DISCOVERY LIST?, ASSET_GROUPS?, 
AUTHENTICATION. RECORDS?, HOST. STATUS?, LAST. SCAN DATE?) 


/MAPREPORT/HOST LIST/HOST/IP (#PCDATA) 


IP address of host discovered. 


attribute: network id The network ID of the discovered host if any. 
/MAPREPORT/HOST_LIST/HOST/HOSTNAME  (#PCDATA) 


DNS hostname of host discovered if any. 
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element specifications / notes 


PO 


/H 


OS 


_LIST/HOS 


/NETBIOS (#PCDATA) 
NetBIOS hostname of host discovered if any. 


RE 


PO 


/H 


OS 


_LIST/HOS 


/ROUTER (#PCDATA) 


Router used to discover host. 


RE 


PO 


/H 


OS 


_LIST/HOS 


JOS (#PCDATA) 


Operating system detected on host. 


RE 


PO 


/H 


OS 


BIS 


/HOS 


/APPROVED (#PCDATA) 


1 means the host was marked as approved host at the time of the map, and 
O means it was not marked as approved. 


RE 


PO 


/H 


OS 


ETS, 


/HOS 


/SCANNABLE (4PCDATA) 


1 means the host was marked as scannable since it was in your 
subscription at the time of the map, and 0 means it was not marked as 
scannable. 


RE 


PO 


/H 


OS 


_LIST/HOS 


/IN_NETBLOCK (4PCDATA) 


1 means the host was defined in a netblock within the map target, and 0 
means it was not defined in a netblock. 


RE 


PO 


/H 


OS 


ISAS 


/LIVE (#PCDATA) 


1 means host was found to be alive (up and running), and 0 means it was 
found to be not alive. 


RE 


PO 


/H 


OSTA 


/HOST/DISCOVERY LIST (DISCOVERY”) 


RE 


PO 


/H 


OS 


/HOS 


(DISCOVERY LIST/DISCOVERY (DISCOVERY. NAME*, PORT”) 


RE 


PO 


/H 


OSIE 


/HOS 


/DISCOVERY_LIST/DISCOVERY/DISCOVERY_NAME (#PCDATA) 


The name of discovery. 


RE 


PO 


/H 


OS 


/PORT (#PCDATA) 


[he port where discovery was made. 


RE 


PO 


/H 


OSTE 


/ASSET GROUPS (AG NAME*) 


RE 


PO 


/H 


OST 


/ASSET_GROUPS/AG_NAME (4PCDATA) 


The name of an asset group containing the host. 


RE 


PO 


/H 


OST_ 


/HOS 


/AUTHENTICATION RECORDS  (AUTHENTICATION”) 


RE 


PO 


/H 


OSTE 


/HOST/AUTHENTICATION_RECORDS/AUTHENTICATION (#PCDATA) 


The name of an authentication record containing the host. 


RE 


PO 


/H 


OSTE 


/HOST. STATUS (4PCDATA) 


The host status. 


RE 


PO 


/H 


OSTZ 


/LAST SCAN DATE (#PCDATA) 


The last date the host was scanned. 


236 


Patch Report (XML) Output 


API used 
<platform API server>/api/2.0/fo/report/?action=fetch 


DTD for Patch Report Output 
<platform API server>/patch_report.dtd 


Q 


SUMMARY, 
PATCH LIST BY QID?, 


ualys API (VM, PC) XML/DTD Reference 
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PATCH LIST BY HOST?, 


COMPANY INFO, USER INFO) > 


STATE 


COUNTRY, ZIP CODE) 


, 


PATCH SUMMARY) > 


IP LIST, TAG LIST, GROUP BY, 


EOUIRING PATCHE 


A recent DTD is shown below. 
<?xml version="1.0" encoding="UTF-8"?> 
<!-- QUALYS PATCH REPORT DTD --> 
<!ELEMENT PATCH REPORT (ERROR | (HEADER, 
PATCH LIST BY AG?, PATCH LIST BY OS?, 
NON RUNNING KERNELS?) ) > 
<!ELEMENT ERROR (#PCDATA) > 
<!ATTLIST ERROR number CDATA #IMPLIED> 
<!-- GENERIC HEADER --> 
<!ELEMENT HEADER (NAME, GENERATION DATETIME, 
<!ELEMENT NAME (#PCDATA) > 
<!ELEMENT GENERATION DATETIME (#PCDATA) > 
<!ELEMENT COMPANY INFO (NAME, ADDRESS, CITY, 
<!ELEMENT ADDRESS (#PCDATA) > 
<!ELEMENT CITY (#PCDATA) > 
<!ELEMENT STATE (#PCDATA) > 
<!ELEMENT COUNTRY (#PCDATA) > 
<!ELEMENT ZIP CODE (#PCDATA) > 
<!ELEMENT USER INFO (NAME, USERNAME, ROLE) > 
<!ELEMENT USERNAME (#PCDATA) > 
<!ELEMENT ROLE (#PCDATA) > 
<!-- SUMMARY DETAILS --> 
<!ELEMENT SUMMARY (REPORT SUMMARY, 
<!ELEMENT REPORT SUMMARY (TITLE, GROUP LIST, 
CREATED ON, NETWORK) > 
<!ELEMENT TITLE (#PCDATA) > 
<!ELEMENT GROUP LIST (#PCDATA) > 
<!ELEMENT IP LIST (#PCDATA) > 
<!ELEMENT TAG LIST (#PCDATA) > 
<!ELEMENT GROUP BY (#PCDATA) > 
<!ELEMENT CREATED ON (#PCDATA) > 
<!ELEMENT PATCH SUMMARY (TOTAL PATCHES, HOSI 
VULN ADDRESSED) > 
<!ELEMENT TOTAL PATCHES (#PCDATA) > 
<!ELEMENT HOST REQUIRING PATCHES (*PCDA1 
<!ELEMENT VULN ADDRESSED (#PCDATA) > 
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<!-- PATCH LIST BY HOST --> 
<!ELEMENT PATCH LIST BY HOST (HOST LIST?, PATCH LINKS)> 


<!-- PATCH LIST BY ASSET GROUP --> 
<!ELEMENT PATCH LIST BY AG (ASSET GROUPS, PATCH LINKS)> 


<!ELEMENT ASSET GROUPS (ASSET GROUP*) > 
<!ELEMENT ASSET GROUP (NAME?, TOTAL PATCHES?, HOST N 
TOTAL DETECTION FIXED?, HOST LIST?)> 
<!ELEMENT HOST NEEDING PATCHES (#PCDATA) > 
<!ELEMENT TOTAL DETECTION FIXED (#PCDATA) > 


T 


EDING_PATCHES?, 


<!ELEMENT PATCH LIST BY OID (PATCH LIST, PATCH_LINKS)> 
<!ELEMENT PATCH LIST (PATCH INFO*)> 


<!-- PATCH LIST BY OID --> 


<!-- PATCH LIST BY OS --> 


<!ELEMENT PATCH LIST BY OS (OS LIST?, PATCH LINKS) > 


<!ELEMENT OS LIST (05*)> 

<!ELEMENT OS DETAILS (NAME?, TOTAL PATCHES?, 

SUMMARY HOSTS NEEDING PATCHES?, SUMMARY TOTAL DETECTIONS FIXED?, 

PATCH LIST) > 
<!ELEMENT 
<!ELEMENT 


T 


MARY HOSTS NEEDING PATCHES (#PCDATA) > 
MARY TOTAL DETECTIONS FIXED (#PCDATA) > 


<!ELEMENT HOST LIST (HOST*) > 


<!ELEMENT HOST (IP?, DNS?, NETBIOS?, OS?, OS CPE?, PATCH COUNT?, 
VULN COUNT?, NETWORK?, CLOUD PROVIDER?, CLOUD PROVIDER SERVICE?, 
CLOUD RESOURCE TYPE?, CLOUD RESOURCE ID?, CLOUD ACCOUNT?, 


CLOUD IMAGE ID?, CLOUD RESOURCE METADATA?, PATCH LIST?, DETECTION INFO? 


<!ELEMENT IP (#PCDATA) > 
<!ELEMENT DNS (#PCDATA) > 
<!ELEMENT NETBIOS (#PCDATA) > 
<!ELEMENT OS (#PCDATA) > 
<!ELEMENT OS CPE (#PCDATA) > 
<!ELEMENT PATCH COUNT (#PCDATA) > 


<!ELEMENT NETWORK (#PCDATA) > 

<!ELEMENT CLOUD PROVIDER (#PCDATA) > 
<!ELEMENT CLOUD PROVIDER SERVICE (#PCDATA) > 
<!ELEMENT CLOUD RESOURCE TYPE (#PCDATA) > 
<!ELEMENT CLOUD RESOURCE ID (#PCDATA) > 
<!ELEMENT CLOUD ACCOUNT (#PCDATA) > 
<!ELEMENT CLOUD IMAGE ID (#PCDATA) > 


<!ELEMENT CLOUD RESOURCE METADATA (INSTANCE ID?, PUBLIC DNS NAME?, 
PUBLIC IP ADDRESS?, PRIVATE IP ADDRESS?, IMAGE ID?, SPOT INSTANCE?, 
AVAILABILITY ZONE?, VPC ID?, 

GROUP ID?, GROUP NAME?, LOCAL HOSTNAME?, INSTANCE STATE?, 


PRIVATE DNS NAME?, INSTANCE TYPE?, ACCOUNT ID?, REGION CODE?, SUBNET ID?, 
RESERVATION ID?, MAC ADDRESS?) > 
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<!ELEMENT INSTANCE ID (#PCDATA) > 
<!ELEMENT PUBLIC DNS NAME (#PCDATA) > 
<!ELEMENT PUBLIC IP ADDRESS (#PCDATA) > 
<!ELEMENT PRIVATE IP ADDRESS (#PCDATA) > 
<!ELEMENT IMAGE ID (#PCDATA) > 
<!ELEMENT SPOT INSTANCE (#PCDATA) > 
<!ELEMENT AVAILABILITY ZONE (#PCDATA) > 
<!ELEMENT VPC_ID (#PCDATA) > 
<!ELEMENT GROUP_ID (#PCDATA) > 
<!ELEMENT GROUP NAME (#PCDATA) > 
<!ELEMENT LOCAL HOSTNAME (#PCDATA) > 
<!ELEMENT INSTANCE STATE (#PCDATA) > 
<!ELEMENT PRIVATE DNS NAME (#PCDATA) > 
<!ELEMENT INSTANCE TYPE (#PCDATA) > 
<!ELEMENT ACCOUNT ID (#PCDATA) > 
<!ELEMENT REGION CODE (#PCDATA) > 
<!ELEMENT SUBNET ID (#PCDATA) > 
<!ELEMENT RESERVATION ID (#PCDATA) > 
<!ELEMENT MAC ADDRESS (#PCDATA) > 
<!ELEMENT PATCH INFO (PATCH OID?, VENDOR ID?, SEVERITY?, PATCH TITLE?, 
VULN_COUNT?, PATCH PUBLISHED?, DETECTION INFO?) > 
<!ELEMENT PATCH OID (#PCDATA) > 
<!ELEMENT VENDOR_ID (#PCDATA) > 
<!ELEMENT SEVERITY (#PCDATA) > 
<!ELEMENT PATCH TITLE (#PCDATA) > 
<!ELEMENT VULN COUNT (#PCDATA) > 
<!ELEMENT PATCH PUBLISHED (#PCDATA) > 
<!ELEMENT DETECTION INFO (VULN OID?, VULN SEVERITY?, VULN TYPE?, 
VULN TITLE?, DETECTION INSTANCE?, DETECTION NORMALIZED INSTANCE?, 
DETECTION DATE LAST FOUND?)> 
<!ELEMENT VULN OID (#PCDATA) > 
<!ELEMENT VULN SEVERITY (#PCDATA) > 
<!ELEMENT VULN TYPE (#PCDATA) > 
<!ELEMENT VULN TITLE (#PCDATA) > 
<!ELEMENT DETECTION INSTANCE (#PCDATA) > 
<!ELEMENT PATCH LINKS (PATCH*)> 
<!ELEMENT PATCH (PATCH OID?, OS?, LINK?)> 
<!ELEMENT NON RUNNING KERNELS (PATCH QID?, IP?, SEVERITY?) > 
<!ELEMENT LINK (#PCDATA) > 


XPaths for Patch Report Output 


XPath 


element specifications / notes 


<!ELEMENT PATCH_REPORT (ERROR | (HEADER, SUMMARY, PATCH_LIST_BY_HOST?, PATCH_LIST_BY_AG?, 


MUCK AL ILS IN (OS? GIS LIS BN OND, 


<!ELEMENT HEADER (NAME, GENERATION_DATETIME, COMPANY_INFO, USER_INFO)> 


The header section tells you who created the report and when, company 
information (name and address) and user information (username and role). 
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element specifications / notes 


<!ELEMENT SUMMARY (REPORT. SUMMARY, PATCH. SUMMARY)> 
<!ELEMENT REPORT. SUMMARY (TITLE, GROUP LIST, IP LIST, TAG LIST, GROUP BY, CREATED ON, 


NETWORK)> 


<!ELEMENT PATCH. SUMMARY (TOTAL PATCHES, HOST. REOUIRING. PATCHES, VULN_ADDRESSED)> 


The 


summary section tells you report details (title, group, IPs, when was it 


created) and detailed summary about the patch including total patches, 
how many hosts were patched, and how many vulnerabilities were 


add 


essed. 


<!ELEMENT 


PAM Grime SIMAO Si (H 
The 


OST_LIST?, PATCH_LINKS)> 
patch list by host gives details about the host (host list and patch links) 


<!ELEMENT 


PATEGH_LIST_BYLAG (ASS 
The 


ET_GROUPS, PATCH_LINKS)> 


patch list by asset group gives details about the asset groups (asset 


group name, total patches, how many hosts needed tha patch, number of 


hosts that needed the patch, host list and the patch links) 


<!ELEMENT 


PATCH_LIST_BY_QID (PATCH_LIST, PATCH_LINKS)> 


The 


patch list by QID gives details about the host list and patch links. 


<!ELEMENT 


PATCH_LIST_BY_OS (OS_LIST?, PATCH_LINKS)> 


The 


patch list by OS gives details about the OS list (name, total patches, 


hosts that needed the patch, total detections that were fixed by the patch 


and 


the patch links. 


<!ELEMENT 


HOST. LIST (HOST*)> 
The 


host list section tells you various details about the host (IP, DNS, 


NETBIOS, OS, patch count, network, and patch list) 


<!ELEMENT CLOUD RESO 


URCE. METADATA (INSTANCE_ID?, PUBLIC DNS NAME?, PUBLIC IP ADDRESS?, 


PRIVATE IP ADDRESS?, IMAGE ID?, SPOT INSTANCE?, AVAILABILITY ZONE?, VPC ID?, 
, GROUP NAME?, LOCAL HOSTNAME?, INSTANCE_STATE?, PRIVATE, DNS NAME?, 
TYPE?, ACCOUNT ID?, REGION. CODE?, SUBNET_ID?, RESERVATION ID?, MAC. ADDRESS?)> 


GROUP ID? 
INSTANCE 


The 


cloud resource metadata section shows cloud provider metadata for 


each host when cloud metadata is included in the patch report. 


<!ELEMENT PATCH INFO (PATCH OID?, VENDOR ID?, SEVERITY?, PATCH. TITLE?, VULN COUNT?, 


PATCH PUBLIS 


HED?, DETECTION_INFO?)> 


Patch information (patch OID, vendor ID, severity, title, vulnerabilities fixed 
by the patch, patch published date, and the detection information). 


<!ELEMENT 


PATCH (PATCH OID?, OS? 


, LINK?)> 


Patch QID, OS and patch links. 


<!ELEMENT NON_RUNNING_KERNELS (PATCH_QID?, IP?, SEVERITY?)> 


The 


non running kernels section tells about the patch QID and severity. 
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VM Scan Report Output 


This output is returned for a host based VM scan report. 


API used 
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<platform API server>/api/2.0/fo/report/?action=fetch 


DTD for VM Scan Report Output 


<platform API server>/asset_data_report.dtd 


A recent DTD is shown below. 
<!-- QUALYS ASSET DATA REPORT DTD --> 
<!ELEMENT ASSET DATA REPORT (ERROR | (HEADER, RISK SCORE PER HOST?, 
HOST LIST?, GLOSSARY?, NON RUNNING KERNELS?, APPENDICES?) )> 
<!ELEMENT ERROR (#PCDATA) *> 
<!ATTLIST ERROR number CDATA #IMPLIED> 
<!-- HEADER --> 
<!ELEMENT HEADER (COMPANY, USERNAME, GENERATION DATETIME, TEMPLATE, 
TARGET, RISK SCORE SUMMARY?) > 
<!ELEMENT COMPANY (#PCDATA) > 
<!ELEMENT USERNAME (#PCDATA)> 
<!ELEMENT GENERATION DATETIME (#PCDATA) > 
<!ELEMENT TEMPLATE (#PCDATA)> 
<!ELEMENT TARGET (USER ASSET GROUPS?, USER IP LIST?, COMBINED IP LIST?, 
ASSET TAG LIST?) > 
<!ELEMENT USER ASSET GROUPS (ASSET GROUP TITLE+)> 
<!ELEMENT ASSET GROUP TITLE (#PCDATA) > 
<!ELEMENT USER IP LIST (RANGE*) > 
<!ELEMENT RANGE (START, END)> 
<!ATTLIST RANGE network id CDATA #IMPLIED> 
<!ELEMENT START (#PCDATA) > 
<!ELEMENT END (#PCDATA) > 
<!ELEMENT COMBINED IP LIST (RANGE*) > 
<!ELEMENT ASSET TAG LIST (INCLUDED TAGS, EXCLUDED TAGS?) > 
<!ELEMENT INCLUDED TAGS (ASSET TAG*) > 
<!ATTLIST INCLUDED TAGS scope CDATA #IMPLIED> 
<!ELEMENT EXCLUDED TAGS (ASSET TAG*) > 
<!ATTLIST EXCLUDED TAGS scope CDATA #IMPLIED> 
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<!-- AVERAGE RISK SCORE SUMMARY --> 
<!ELEMENT RISK SCORE SUMMARY (TOTA 
BUSINI _ RISK) > 
<!ELEMENT TOTAL VULNERABILITIES (#PCDATA) > 
<!ELEMENT AVG SECURITY RISK (#PCDATA) > 
<!ELEMENT BUSINESS RISK (#PCDATA) > 


| VULNERABILITIES, AVG SECURITY RISK, 


El 
109) 
un 


<!-- RISK SCORE PER HOST --> 

<!ELEMENT RISK SCORE PER HOST (HOSTS+) > 
<!ELEMENT HOSTS (IP ADDRESS, TOTAL VULNERABILITIES, 
<!ELEMENT IP ADDRESS (#PCDATA) > 

<!ATTLIST IP ADDRESS 


network id CDATA IMPLIED 


n 


ECURITY RISK) > 


<!ELEMENT SECURITY RISK (#PCDATA) > 


<!-- HOST LIST --> 


<!ELEMENT HOST LIST (HOST+)> 


(ERROR | (IP?, IPV6?, TRACKING METHOD, ASSET TAGS?, 
ID?, DNS?, NETBIOS?, QG HOSTID?, CLOUD PROVIDER?, 
CLOUD PROVIDER SERVICE?, CLOUD SERVICE?, CLOUD RESOURCE TYPE?, 
E ID?, CLOUD ACCOUNT?, EC2 INSTANCE ID?, CLOUD IMAGE ID?, 
IP INTERFACES?, EC2 INFO?, CLOUD RESOURCE METADATA?, AZURE VM INFO?, 
O 


T 


PERATING SYSTEM?, OS CPE?, ASSET GROUPS?, VULN INFO LIST?) )> 


<!ELEMENT IP (#PCDATA) > 
<!ATTLIST IP 
network id CDATA #IMPLIED 
v6 CDATA IMPLIED 


<!ELEMENT TRACKING METHOD (#PCDATA)> 
<!ELEMENT ASSET TAGS (ASSET_TAG+)> 


( 
<!ELEMENT ASSET_TAG (#PCDATA)> 


<!ELEMENT DNS (#PCDATA)> 

<!ELEMENT NETBIOS (#PCDATA)> 

<!ELEMENT OG HOSTID (#PCDATA)> 

<!ELEMENT CLOUD PROVIDER (#PCDATA)> 
<!ELEMENT CLOUD PROVIDER SERVICE (#PCDATA)> 
<!ELEMENT CLOUD SERVICE (#PCDATA)> 
<!ELEMENT CLOUD RESOURCE TYPE (#PCDATA)> 
<!ELEMENT CLOUD RESOURCE ID (#PCDATA) > 
<!ELEMENT CLOUD ACCOUNT (#PCDATA) > 
<!ELEMENT EC2 INSTANCE ID (#PCDATA) > 
<!ELEMENT CLOUD IMAGE ID (#PCDATA) > 
<!ELEMENT IP INTERFACES (IP*)> 


NS NAME?, IMAGE ID?,VPC ID?, INSTANCE STATE?, PRIVATE DNS NAME?, INS 
E?, ACCOUNT ID?, REGION CODE?, SUBNET ID?)> 
T CLOUD RESOURCE METADATA (INSTANCE ID?, PUBLIC DNS NAME? 
VM ID?, VM NAME?, PLATFORM?, HOST NAME?, MACHINE TYPE?, 


Fl 
a 
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5 
Q 
T 
H 
zZ 


+ 


~ADDUSUH 


H+ 


NI 


PROJECT ID?, 


INFO 


DUHU 
< 
D 
a 


£ 
IMAGE PUBLISHER?, IMAGE VERSION?, 
DRESS?, IMAGE ID?, 
P ID?, GROUP NAME?, 
NAME?, INSTANCE TYPE?, ACCOUNT 
ID?, SIZE?, SUBSCRIPTION ID?, 
NAME ?, MAC ADDRESS?) > 


IAG 


PUBLIC IP ADDRESS?, VPC NETWORK?, 
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ZONE?, 
SUBNET?, VM STATE?, 


SPOT INSTANCE?, AVAILABILITY ZONE?, 
LOCAL HOSTNAME?, 


INSTANCE STATE?, 
ID?, REGION CODE?, SUBNET ID?, 


SIZE?, SUBSCRIP1 


ITY ZONE 
PCDATA) > 
PCDATA) > 
(+ PCDATA) > 


A 


MAC ADDRESS ( 


PERATING 


E OFFER?, IMAGE VERSION?,SUBNET?,VM_STATE?, PRIVATE 


PCDATA) > 


E (#PCDATA) > 


(#PCDATA) > 
(#PCDATA) > 


(# PCDATA) > 

(# PCDATA) > 

E PCDATA) > 
(#PCDATA) > 


PCDATA) > 


PCDATA) > 
DATA) > 

( PCDATA) > 
PCDATA) > 


SYSTEM 
(#PCDATA) > 
(#PCDATA) > 
PCDATA) > 
PCDATA) > 


AGE VERSION 
| STATE 


H 
N 


E ( 


VUunMH<HHHRN < NJ 


H 


OCATION 


BSCRI 


ESOURCE GROUP NAME 
TA) > 


CPE (#PCDAT 


SET GROUPS 


N INFO LISI 


N INFO 


(OLD, 


PCDATA) > 


PCDATA) > 
(t PCDATA) > 


PCDATA) > 
IP ADDRESS 


(t PCDATA) > 
PCDATA) > 


PCDATA) > 
(#PCDATA) > 


ELEMENT SUBNET 


(#PCDATA) ><! 


(# PCDATA) > 
RIVATE IP ADDRESS 

PCDATA) > 
PTION ID 
(# PCDATA) > 


(#PCDATA) > 


(#PCDATA) > 


E (#PCDATA) > 


(VULN INFO+) > 


LOCATION?, 


PION ID?, LOCATION?, RESOURCE GROUP NAME?) > 


(#PCDATA) > 


(ASSET GROUP TITLE+)> 


TYPE, 


PORT?, SERVICE?, 


FODN?, PROTOCOL?, SSL?, 


ESULT?, FIRST FOUND?, LAST FOUND?, TIMES FOUND?, 


LAST FIXED?, 


T 


FIRST REOPEN 


D?, 


LAST REOPENED?, 
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TIMES REOPENED?, CVSS FINAL?, CVSS3 FINAL?, TICKET NUMBER?, 
TICKET STATE?) > 


<!ELEMENT QID (#PCDATA) > 
<!ATTLIST OID id CDATA #REQUIRED> 


<!ELEMENT TYPE (#PCDATA) > 
<!ELEMENT PORT (#PCDATA) > 
<!ELEMENT SERVICE (#PCDATA) > 
<!ELEMENT FQDN (#PCDATA) > 
<!ELEMENT PROTOCOL (#PCDATA)> 
<!ELEMENT SSL (#PCDATA) > 


<!ELEMENT RESULT (#PCDATA) > 
<!ATTLIST RESULT format CDATA *IMPLII 


El 


D> 


<!ELEMENT FIRST FOUND (#PCDATA) > 
<!ELEMENT LAST FOUND (#PCDATA) > 
<!ELEMENT TIMES FOUND (#PCDATA) > 
<!-- Note: VULN STATUS is N/A for IGs --> 
<!ELEMENT VULN STATUS (#PCDATA) > 
<!ELEMENT LAST FIXED (#PCDATA) > 
<!ELEMENT FIRST REOPENED (#PCDATA) > 
<!ELEMENT LAST REOPENED (#PCDATA) > 
<!ELEMENT TIMES REOPENED (#PCDATA) > 
<!ELEMENT CVSS FINAL (#PCDATA) > 
<!ELEMENT CVSS3 FINAL (#PCDATA) > 
<!ELEMENT TICKET NUMBER (#PCDATA) > 


<!ELEMENT TICKET STATE (#PCDATA) > 


<!ELEMENT INSTANC 


El 


PCDATA) > 


<!-- GLOSSARY --> 


<!ELEMENT GLOSSARY (VULN DETAILS LIST) > 


<!ELEMENT VULN DETAILS LIST (VULN DETAILS+) > 


<!ELEMENT VULN DETAILS (QID, TITLE, SEVERITY, CATEGORY, CUSTOMIZED?, 
THREAT, THREAT COMMENT?, IMPACT, IMPACT COMMENT?, SOLUTION, 
SOLUTION COMMENT?, COMPLIANCE?, CORRELATION?, PCI FLAG, LAST UPDATE?, 
CVSS SCORE?, CVSS3 SCORE?, VENDOR REFERENCE LIST?, CVE ID LIST?, 

BUGTRAO ID LIST?) > 
<!ATTLIST VULN DETAILS id ID #REQUIRED> 


<!ELEMENT TITLE (#PCDATA) > 
<!ELEMENT SEVERITY (#PCDATA) > 
<!ELEMENT CATEGORY (#PCDATA) > 


<!ELEMENT CUSTOMIZED (DISABLED?, CUSTOM SEVERITY?) > 
<!ELEMENT DISABLED (#PCDATA) > 
<!ELEMENT CUSTOM SEVERITY (#PCDATA) > 


<!ELEMENT THREAT (#PCDATA) > 
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<!ELEMENT THREAT COMMENT (#PCDATA) > 
<!ELEMENT IMPACT (#PCDATA) > 
<!ELEMENT IMPACT COMMENT (#PCDATA) > 
<!ELEMENT SOLUTION (#PCDATA) > 
<!ELEMENT SOLUTION COMMENT (#PCDATA) > 
<!ELEMENT PCI FLAG (#PCDATA)> 
<!ELEMENT CORRELATION (EXPLOITABILITY?, MALWARE?) > 
<!ELEMENT EXPLOITABILITY (EXPLT_SRC) +> 
<!ELEMENT EXPLT SRC (SRC NAME, EXPLT_LIST)> 
<!ELEMENT SRC_NAME (#PCDATA) > 
<!ELEMENT EXPLT LIST (EXPLT) +> 
<!ELEMENT EXPLT (REF, DESC, LINK?) > 
<!ELEMENT REF (#PCDATA) > 
<!ELEMENT DESC (#PCDATA) > 
<!ELEMENT LINK (#PCDATA) > 
<!ELEMENT MALWARE (MW SRC) +> 
<!ELEMENT MW SRC (SRC NAME, MW LIST) > 
<!ELEMENT MW LIST (MW INFO) +> 
<!ELEMENT MW INFO (MW ID, MW TYPE?, MW PLATFORM?, MW ALIAS?, MW RATING?, 
MW LINK?) 
<!ELEMENT MW ID (#PCDATA) > 
<!ELEMENT MW TYPE (#PCDATA) > 
<!ELEMENT MW PLATFORM (#PCDATA) > 
<!ELEMENT MW ALIAS (#PCDATA) > 
<!ELEMENT MW RATING (#PCDATA) > 
<!ELEMENT MW LINK (#PCDATA) > 
<!ELEMENT LAST UPDATE (#PCDATA) > 
<!ELEMENT CVSS SCORE (CVSS BASE?, CVSS TEMPORAL?) > 
<!ELEMENT CVSS BASE (#PCDATA) > 
<!ATTLIST CVSS BASE 
source CDATA “IMPLIED 
> 
<!ELEMENT CVSS TEMPORAL (#PCDATA) > 
<!ELEMENT CVSS3 SCORE (CVSS3 BASE?, CVSS3 TEMPORAL?) > 
<!ELEMENT CVSS3 BASE (#PCDATA) > 
<!ELEMENT CVSS3 TEMPORAL (#PCDATA) > 
<!ELEMENT VENDOR_REFERENCE_LIST (VENDOR_REFERENCE+) > 
<!ELEMENT VENDOR REFERENCE (ID, URL) > 
<!ELEMENT ID (#PCDATA) > 
<!ELEMENT URL (#PCDATA) > 
<!ELEMENT CVE ID LIST (CVE ID+)> 
<!ELEMENT CVE ID (ID,URL)> 
<!ELEMENT BUGTRAO ID LIST (BUGTRAO ID+)> 
<!ELEMENT BUGTRAQ ID (ID,URL)> 
<!ELEMENT COMPLIANCE (COMPLIANCE INFO+) > 
<!ELEMENT COMPLIANCE INFO (COMPLIANCE TYPE, COMPLIANCE SECTION, 
COMPLIANCE DESCRIPTION) > 
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<!ELEMENT COMPLIANCE TYPE (#PCDATA) > 

<!ELEMENT COMPLIANCE SECTION (#PCDATA) > 

<!ELEMENT COMPLIANCE DESCRIPTION (#PCDATA) > 

<!-- APPENDICES --> 

<!ELEMENT APPENDICES (NO RESULTS?, NO VULNS?, TEMPLATE DETAILS?) > 
<!ELEMENT NO RESULTS (IP LIST)> 

<!ELEMENT IP LIST (RANGE*) > 

<!ELEMENT NO VULNS (IP LIST)> 

<!ELEMENT TEMPLATE DETAILS (VULN LISTS?, SELECTIVE VULNS?, 
EXCLUDED VULN LISTS?, EXCLUDED VULNS?, RESULTING VULNS?, FILTER SUMMARY?, 
EXCLUDED CATEGORIES?) > 

<!ELEMENT VULN LISTS (#PCDATA) > 

<!ELEMENT SELECTIVE VULNS (#PCDATA) > 

<!ELEMENT EXCLUDED VULN LISTS (#PCDATA) > 

<!ELEMENT EXCLUDED VULNS (#PCDATA) > 

<!ELEMENT RESULTING VULNS (#PCDATA) > 

<!ELEMENT FILTER SUMMARY (#PCDATA) > 

<!ELEMENT EXCLUDED CATEGORIES (#PCDATA) > 

<!ELEMENT NON RUNNING KERNELS (NON RUNNING KERNEL*) > 
<!ELEMENT NON RUNNING KERNEL (NRK OID*, IP*, SEVERITY*) > 
<!ELEMENT NRK QID (#PCDATA) > 


XPaths for Asset Data Report 
Report Section 


XPath 


element specifications / notes 


/ASSET. DATA REPOR'I 


ERROR | (HEADER, RISK SCORE PER HOST?, HOST LIST?, GLOSSARY?, 
NON. RUNNING. KERNELS?, APPENDICES?)) 


/ASSET. DATA REPOR'I 


[/HEADER 


COMPANY, USERNAME, GENERATION_DATETIME, TEMPLATE, TARGET, 
RISK. SCORE SUMMARY?) 


Report summary information. 


/ASS 


tm 


DATA_RE 


POR'I 


[/RISK. SCO 


RE PER HOST (HOSTS+) 


Risk score summary per host. This is included when the report template 
has the Text Summary setting selected. 


/ASSET. DATA REPORT/HOST LIST (HOST+) 

Detected vulnerabilities for each host. For each detected vulnerability, 

information specific to its detection on the host is also provided. 
/ASSET. DATA REPORT/GLOSSARY - (VULN DETAILS LIST) 

Vulnerability information applicable to all hosts. 
/ASSET. DATA REPORT/NON RUNNING KERNELS (VULN DETAILS LIST) 

Information related to vulnerabilities with non-running kernels. 
/ASSET_DATA_REPORT/APPENDICES (NO_RESULTS?, NO_VULNS?, TEMPLATE. DETAILS?) 

Additional data such as hosts with no scan results and template settings. 
/ASSET. DATA REPORT/ERROR  (#PCDATA) 


attribute: number 


number is implied and, if present, will be an error code. 
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Header 


XPath element specifications / notes 
/ASSET. DATA. REPORT/HEADER 


(COMPANY, USERNAME, GENERATION. DATETIME, TEMPLATE, TARGET, 
RISK. SCORE SUMMARY?) 


/ASSET. DATA REPORT/HEADER/COMPANY  (*PCDATA) 
The company name. 
/ASSET. DATA REPORT/HEADER/USERNAME — (4PCDATA) 
The login ID for the user who generated the report. 
/ASSET. DATA REPORT/HEADER/GENERATION DATETIME — (4PCDATA) 
The date and time when the report was generated, in 
YYYY-MM-DDTHH:MM:SSZ format (UTC/GMT). 
/ASSET_DATA_REPORT/HEADER/TEMPLATE (#PCDATA) 
The title assigned to the template used to generate the report. 


/ASSET_DATA_REPORT/HEADER/TARGE 


(USER_ASSET_GROUPS?, USER IP LIST?, COMBINED IP LIST?, 
ASSET. TAG LIST?) 


/ASSET. DATA REPORT/HEADER/TARGET/USER ASSET GROUPS (ASSET_GROUP_TITLE+) 
/ASSET. DATA REPORT/HEADER/TARGET/USER ASSET GROUPS/ASSET. GROUP TITLE  (PCDATA) 


The title of an asset group that the user specified in the report template. 
/ASSET. DATA REPORT/HEADER/TARGET/USER IP LIST  (RANGE”) 
/ASSET. DATA REPORT/HEADER/TARGET/USER IP LIST/RANGE (START, END) 


network. id attribute identifies a network ID when the networks feature is 
enabled in the subscription. 


DATA REPORT/HEADER/TARGET/USER IP LIST/RANGE/START  (*PCDATA) 


The first IP address in a range of IPs that the user specified in the report 
template. 


/ASSET_DATA_REPORT/HEADER/TARGET/USER_IP_LIST/RANGE/END (#PCDATA) 


/ASS 


M 
m 


tm 


The last IP address in a range of IPs that the user specified in the report 
template. 


/ASSET_DATA_REPORT/HEADER/TARGET/COMBINED_IP_LIST (RANGE*) 
/ASSET_DATA_REPORT/HEADER/TARGET/COMBINED_IP_LIST /RANGE (START, END) 
network_id attribute identifies a network ID when the networks feature is 
enabled in the subscription. 
/ASSET. DATA REPORT/HEADER/TARGET/COMBINED IP LIST/RANGE/START  (*PCDATA) 


The first IP address in the combined IP range. This IP range combines IPs 
that the user specified in the report template (USER IP LIST) as well as IPs 
that make up the asset groups that the user specified in the report 
template (USER. ASSET. GROUPS). 


/ASSET. DATA REPORT/HEADER/TARGET/COMBINED IP LIST/RANGE/END  (#PCDATA) 


The last IP address in the combined IP range. This IP range combines IPs 
that the user specified in the report template (USER IP LIST) as well as IPs 
that make up the asset groups that the user specified in the report 
template (USER ASSET. GROUPS). 
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XPath element specifications / notes 
/ASSET. DATA REPORT/HEADER/TARGET/ASSET. TAG LIS (INCLUDED. TAGS, EXCLUDED. TAGS?) 


/ASSET. DATA REPORT/HEADER/TARGET/ASSET. TAG LIST/INCLUDED. TAGS/ASSET. TAG (#PCDATA) 


The list of asset tags included in the scan target. The scope “all” means 
hosts matching all tags; scope “any” means hosts matching at least one of 
the tags. 


/ASSET. DATA REPORT/HEADER/TARGET/ASSET. TAG LIST/EXCLUDED. TAGS/ASSET. TAG (#PCDATA) 


The list of asset tags excluded from the scan target. The scope “all” means 
hosts matching all tags; scope “any” means hosts matching at least one of 
the tags. 
/ASSET. DATA REPORT/RISK. SCORE SUMMARY 
(TOTAL VULNERABILITIES, AVG. SECURITY RISK, BUSINESS. RISK 


/ASSET. DATA REPORT/RISK SCORE SUMMARY/TOTAL VULNERABILITIES (#PCDATA) 


oC 


The sum of the vulnerabilities found on all hosts in the report. 


/ASSET_DATA_REPORT/RISK_SCORE_SUMMARY/AVG_SECURITY_RISK (#PCDATA) 
The average security risk calculated for the report. 
/ASSET_DATA_REPORT/RISK_SCORE_SUMMARY/RISK, BUSINESS RISK (#PCDATA) 


The business risk score calculated for the report. 


Security Risk Score per Host 


XPath element specifications / notes 
/ASSET_DATA_REPORT/RISK_SCORE_PER_HOST (HOSTS+) 


/ASSET_DATA_REPORT/RISK_SCORE_PER_HOST/HOSTS 
IP_ADDRESS, TOTAL_VULNERABILITIES, SECURITY_RISK) 
/ASSET_DATA_REPORT/RISK_SCORE_PER_HOST/HOSTS/IP_ADDRESS — (#PCDATA) 


The IP address of a host. The attribute network_id is the host's network ID 
when the networks feature is enabled in the subscription. 


/ASSET_DATA_REPORT/RISK_SCORE_PER_HOST/HOSTS/TOTAL_VULNERABILITIES (#PCDATA) 


The total number of vulnerabilties found on the host. 


tm 


/ASSET_DATA_REPORT/RISK_SCORE_PER_HOST/HOSTS/SECURITY_RISK (#PCDATA) 
The security risk score, either the average severity level detected or the 
highest severity level detected, based on the security risk setup setting for 
the subscription. For Express Lite, the average severity level is used. 

Host List 


The host list section includes a list of hosts in your report with detected vulnerabilities. 


XPath element specifications / notes 
/ASSET_DATA_REPORT/HOST_LIST (HOST+) 


/ASSET_DATA_REPORT/HOST_LIST/HOST 
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element specifications / notes 


(ERROR | (IP?, IPV6?, TRACKING METHOD, ASSET_TAGS?, HOST ID, 
ASSET ID?, DNS?, NETBIOS?, OG HOSTID?, CLOUD. PROVIDER?, 

CLOUD. PROVIDER. SERVICE?, CLOUD SERVICE?, 

CLOUD RESOURCE TYPE?, CLOUD. RESOURCE ID?, CLOUD ACCOUNT?, 
EC2 INSTANCE ID?, CLOUD IMAGE ID?, IP INTERFACES?, EC2 INFO?, 


CLOUD. RESOURCE METADATA?, AZURE VM INFO?, 
OPERATING_SYSTEM?, OS CPE?, ASSET_GROUPS?, VULN INFO LIST?)) 


/ASSET. DATA REPORT/HOST LIST/HOST/IP  (*PCDATA) 


The host's IP address. The attribute network. id identifies the host's network 
ID when the networks feature is enabled in the subscription. The attribute 
v6 identifies the hosts IPv6 IP address 


/ASSE /HOST/TRACKING METHOD  (#PCDATA) 
The host’s tracking method. This is one of: “ip”, “dns”, “netbios”, “agent”, 
“ec2” 

/ASSE /HOST/ASSET_TAGS (ASSET_TAG+) 

/ASS /HOST/ASSET_TAGS/ASSET_TAG (#PCDATA) 


An asset tag assigned to the host. 


/ASS 


_LIST/HOST/DNS — (*PCDATA) 


The DNS host name when known. For an EC2 asset this is the private DNS 
name. 


/ASS 


tm 


_LIST/HOST/NETBIOS (#PCDATA) 


The Microsoft Windows NetBIOS host name if appropriate, when known. 


/ASS 


tri 


_LIST/HOST/QG_HOSTID (#PCDATA) 


Qualys host ID. 


/ASS 


tm 


_LIST/HOST/CLOUD_PROVIDER (#PCDATA) 


Cloud provider of the asset. These will be populated for all cloud assets 
(Azure, EC2, Google). 


/ASS 


tm 


SUIS 


T/HOST/CLOUD_PROVIDER_SERVICE (#PCDATA) 


Cloud provider services of the asset. For example, compute engine. 


/ASS 


m 


T/HOST/CLOUD. SERVICE (#PCDATA) 
Cloud service of the asset. For example: (VM for Azure, EC2 for AWS). 


/ASS 


/HOST/CLOUD RESOURCE TYPE (#PCDATA) 


Cloud resource type of the asset. For example, virtual machine. 


/ASS LIST/HOST/CLOUD_RESOURCE_ID (#PCDATA) 
Cloud resource ID of the asset. 
/ASS _LIST/HOST/CLOUD_ACCOUNT (#PCDATA) 


Cloud account of the asset. 


/ASS 


m 


/HOST/EC2 INSTANGE ID (4PCDATA) 
EC2 instance ID. 


/ASS 


tm 


_LIST/HOST/CLOUD_IMAGE_ID (#PCDATA) 


Cloud image ID. 


/ASS 
/ASS 


tri 


DS VHOSMIRANTERRACESEEIES) 


hts 


/HOST/IP_INTERFACES/IP (#PCDATA) 


Host IP interface. 
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element specifications / notes 


/ASSET. DATA REPORT/HOST. LIST/HOST/EC2. INFO 
(PUBLIC DNS NAME?, IMAGE ID?, VPC ID?, INSTANCE_STATE?, 


PRIVATE DNS 


SUBNET. ID?) 


NAME?, INSTANCE_TYPE?, ACCOUNT ID?, REGION. CODE?, 


/ASS 


LIDIA 


_REPORT/HOST_LIST/HOST/EC2_ 


EC2 instance 


NFO/PUBLIC DNS NAME (#PCDATA) 


public DNS name. 


/ASS 


_DA 


EC2 instance 


_REPORT/HOST_LIST/HOST/EC2_INFO/IMAGE_ID (4PCDATA) 
image ID. 


/ASS 


tm 


DA 


_REPORT/HOST_LIST/HOST/EC2_ 


EC2 VPC ID. 


NFO/VPC ID (4PCDATA) 


/ASS 


El 


DA 


BRELOR«/ HO SIMS EOS EGO 


EC2 instance state. 


NFO/INSTANCE STATE (#PCDATA) 


/ASS 


tri 


DA 


_REPORT/HOST_LIST/HOST/EC2_ 


EC2 instance private DNS name. 


NFO/PRIVATE DNS NAME  (#PCDATA) 


/ASS 


M 


DA 


SREVORM/H@ sim AS AOST AED 


Instance type 


NFO/INSTANCE TYPE (#PCDATA) 


of the EC2 instance. 


/ASS 


M 


DA 


_REPORT/HOST_LIST/HOST/EC2_ 


Account ID of the EC2 instance. 


NFO/ACCOUNT. ID (#PCDATA) 


/ASS 


tri 


DA 


_REPORT/HOST_LIST/HOST/EC2_ 


Region code o 


NFO/REGION_CODE (#PCDATA) 
f the EC2 instance. 


/ASS 


M 


DA 


_REPORT/HOST_LIST/HOST/EC2_ 


Subnet ID of t 


FO/SUBNET_ID (#PCDATA) 


he EC2 instance. 


/ASS 


BDA 


- REPORT/HOST. LIST/HOST/CLOUD. RESOURCE METADATA 


(INSTANCE ID?, PUBLIC DNS NAME?, VM ID?, VM. NAME?, PLATFORM?, 


HOST. NAME?, MACHINE TYPE?, MACHINE. STATE?, PROJECT ID?, 
PUBLIC IP ADDRESS?, VPC_NETWORK?, ZONE?, IMAGE. OFFER?, 
IMAGE. PUBLISHER?, IMAGE. VERSION?, SUBNET?, VM. STATE?, 


PRIVATE IP A 


DDRESS?, IMAGE ID?, SPOT. INSTANCE?, 


AVAILABILITY ZONE?, VPC ID?, GROUP ID?, GROUP NAME?, 
LOCAL HOSTNAME?, INSTANCE. STATE?, PRIVATE. DNS NAME?, 


INSTANCE TYPE?, ACCOUNT. ID?, REGION 


CODE?, SUBNET ID?, 


RESERVATION ID?, SIZE?, SUBSCRIPTION ID?, LOCATION?, 


RESOURCE GROUP NAME?, MAC. ADDRESS?) 


/ASS 


SDA 


Instance id. 


- REPORT/HOST. LIST/HOST/CLOUD RESOURCE METADATA/INSTANCE ID (#PCDATA) 


/ASS 


_DA 


_REPORT/HOST_LIST/HOST/CLOUD_RESOURCE_M 
Public DNS name. 


mi 


'ADATA/PUBLIC. DNS NAME (#PCDATA) 


/ASS 


m 


DA 


. REPORT/HOST. LIST/HOST/CLOUD RESOURCE. M 
Virtual Machine ID. 


tm 


'ADATA/VM_ID (4PCDATA) 


/ASS 


tm 


DA 


_REPORT/HOST_LIST/HOST/CLOUD_RESOURCE_M 


Virtual Machine name. 


mi 


'ADATA/VM. NAME (#PCDATA) 


/ASS 


M 


DA 


- REPORT/HOST. LIST/HOST/CLOUD RESOURCE M 


Platform. 


'ADATA/PLATFORM (#PCDATA) 


trj 


/ASS 


M 


DA 


_REPORT/HOST_LIST/HOST/CLOUD_RESOURCE_M 


mi 


'ADATA/HOST. NAME (#PCDATA) 
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XPath element specifications / notes 
Host name. 
/ASSET. DATA REPORT/HOST. LIST/HOST/CLOUD RESOURCE METADATA/MACHINE. TYPE (#PCDATA) 
Machine type. 
/ASSET. DATA REPORT/HOST. LIST/HOST/CLOUD. RESOURCE METADATA/MACHINE. STATE (#PCDATA) 
Machine state. 
/ASSET. DATA REPORT/HOST. LIST/HOST/CLOUD RESOURCE METADATA/PROJECT ID (#PCDATA) 
Project ID. 
/ASSET. DATA REPORT/HOST. LIST/HOST/CLOUD RESOURCE METADATA/PUBLIC IP ADDRESS (#PCDATA) 
Public IP Address. 
/ASSET. DATA REPORT/HOST. LIST/HOST/CLOUD RESOURCE METADATA/VPC. NETWORK (#PCDATA) 
VPC Network. 
/ASSET. DATA REPORT/HOST. LIST/HOST/CLOUD RESOURCE. METADATA/ZONE (#PCDATA) 
Cloud Provider Zone. 
/ASSET. DATA REPORT/HOST. LIST/HOST/CLOUD RESOURCE METADATA/IMAGE OFFER (#PCDATA) 
Image offering form the publisher 
/ASSET. DATA REPORT/HOST. LIST/HOST/CLOUD RESOURCE METADATA/IMAGE. PUBLISHER (#PCDATA) 
Image publisher. 
/ASSET. DATA REPORT/HOST. LIST/HOST/CLOUD RESOURCE METADATA/IMAGE. VERSION (#PCDATA) 
Cloud provider image version. 
/ASSET. DATA REPORT/HOST. LIST/HOST/CLOUD RESOURCE METADATA/SUBNET (#PCDATA) 
Subnet of your cloud provider. 
/ASSET. DATA REPORT/HOST. LIST/HOST/CLOUD RESOURCE METADATA/VM. STATE (#PCDATA) 
Cloud provider virtual machine state. 
/ASSET. DATA REPORT/HOST. LIST/HOST/CLOUD RESOURCE METADATA/PRIVATE. IP ADDRESS (#PCDATA) 
Private IP of cloud provider asset 
/ASSET. DATA REPORT/HOST. LIST/HOST/CLOUD RESOURCE METADATA/IMAGE ID (#PCDATA) 
Cloud provider image ID. 
/ASSET. DATA REPORT/HOST. LIST/HOST/CLOUD RESOURCE METADATA/AVAILABILITY ZONE (#PCDATA) 
nstance availability zone 
/ASSET. DATA REPORT/HOST. LIST/HOST/CLOUD RESOURCE METADATA/VPC ID (#PCDATA 
nstance VPC ID. 
/ASSET_DATA_REPORT/HOST_LIST/HOST/CLOUD_RESOURCE_METADATA/GROUP_ID (#PCDATA) 
nstance group ID. 
/ASSET_DATA_REPORT/HOST_LIST/HOST/CLOUD_RESOURCE_METADATA/GROUP_NAME (#PCDATA) 
nstance group name. 
/ASSET_DATA_REPORT/HOST_LIST/HOST/CLOUD_RESOURCE_METADATA/INSTANCE_STATE (#PCDATA) 
nstance state. 
/ASSET_DATA_REPORT/HOST_LIST/HOST/CLOUD_RESOURCE_METADATA/PRIVATE_DNS_NAME (#PCDATA) 
Private DNS name. 
/ASSET_DATA_REPORT/HOST_LIST/HOST/CLOUD_RESOURCE_METADATA/INSTANCE_TYPE (#PCDATA) 
nstance type. 


251 


Gualys API (VM, PC) XML/DTD Reference 
Chapter 6 - VM Reports XML 


XPath element specifications / notes 
/ASSET. DATA REPORT/HOST. LIST/HOST/CLOUD RESOURCE METADATA/ACCOUNT ID (#PCDATA) 


Y 


nstance account ID. 
DATA_REPORT/HOST_LIST/HOST/CLOUD_RESOURCE_M 
Region code of the instance. 
/ASSET_DATA_REPORT/HOST_LIST/HOST/CLOUD_RESOURCE_M 


/ASS 


M 


trj 


'ADATA/REGION_CODE (#PCDATA) 


tri 


'ADATA/SUBNET. ID #PCDATA) 
nstance subnet ID. 
/ASSET_DATA_REPORT/HOST_LIST/HOST/CLOUD_RESOURCE_M 


mi 


'ADATA/SUBSCRIPTION ID (#PCDATA) 


D of subscription. 


/ASSET. DATA REPORT/HOST. LIST/HOST/CLOUD RESOURCE METADATA/LOCATION (#PCDATA) 
Location of instance. 
/ASSET. DATA REPORT/HOST. LIST/HOST/CLOUD. RESOURCE. METADATA/RESOURCE. GROUP NAME 
(#PCDATA) 
Resource group name of the instance. 
/ASSET_DATA_REPORT/HOST_LIST/HOST/CLOUD_RESOURCE_METADATA/MAC_ADDRESS (#PCDATA) 
Mac address of the instance. 
/ASSET_DATA_REPORT/HOST_LIST/HOST/AZURE_VM_INFO 


PUBLIC_IP_ADDRESS?, IMAGE _OFFER?, IMAGE VERSION?,SUBNET?,VM. ST 
ATE?,PRIVATE_IP_ADDRESS?,SIZE?, SUBSCRIPTION_ID?, LOCATION?, 
RESOURCE_GROUP_NAME?) 


DATA_REPORT/HOST_LIST/HOST/AZURE_VM_INFO/PUBLIC_IP_ADDRESS (#PCDATA) 
The IP address of the host. 
/ASSET_DATA_REPORT/HOST_LIST/HOST/AZURE_VM_INFO/IMAGE_OFFER (#PCDATA) 


/ASS 


M 


Image offering form the publisher. 


/ASSET. DATA REPORT/HOST. LIST/HOST/AZURE VM INFO/IMAGE. VERSION (#PCDATA) 
Azure VM image version. 
/ASSET. DATA REPORT/HOST. LIST/HOST/AZURE VM INFO/SUBNET (#PCDATA) 
Subnet of the Azure VM asset. 
/ASSET. DATA REPORT/HOST. LIST/HOST/AZURE VM INFO/VM. STATE (#PCDATA) 
Azure virtual machine state. Possible values are: STARTING, RUNNING, 
STOPPING, STOPPED, DEALLOCATING, DEALLOCATED, UNKNOWN. 
/ASSET_DATA_REPORT/HOST_LIST/HOST/AZURE_VM_INFO/PRIVATE_IP_ADDRESS (#PCDATA) 
Private IP address of the Azure VM asset. 
/ASSET_DATA_REPORT/HOST_LIST/HOST/AZURE_VM_INFO/SIZE (#PCDATA) 
Size of the Azure VM asset. 
/ASSET_DATA_REPORT/HOST_LIST/HOST/AZURE_VM_INFO/SUBSCRIPTION_ID (#PCDATA) 
Subscription ID of the Azure VM asset. 
/ASSET_DATA_REPORT/HOST_LIST/HOST/AZURE_VM_INFO/LOCATION (#PCDATA) 
Location of the Azure VM asset. 
/ASSET_DATA_REPORT/HOST_LIST/HOST/AZURE_VM_INFO/RESOURCE_GROUP_NAME (#PCDATA) 


Resource group name of the Azure VM asset. 
/ASSET_DATA_REPORT/HOST_LIST/HOST/OPERATING_SYSTEM  (*PCDATA) 


The operating system detected on the host. 
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XPath element specifications / notes 
/ASSET. DATA REPORT/HOST LIST/HOST/OS CPE — (*PCDATA) 


[The OS CPE name assigned to the operating system detected on the host. 
(The OS CPE name appears only when the OS CPE feature is enabled for the 
subscription, and an authenticated scan was run on this host after enabling 
this feature.) 


/ASSET_DATA_REPORT/HOST_LIST/HOST/ASSET_GROUPS (ASSET_GROUP_TITLE+) 
/ASSET_DATA_REPORT/HOST_LIST/HOST/ASSET_GROUPS/ASSET_GROUP_TITLE (#PCDATA) 


The title of an asset group that the host belongs to. This list includes all 
asset groups that the host belongs to in the user’s account. 


/ASSET_DATA_REPORT/HOST_LIST/HOST/VULN_INFO_LIST  (VULN_INFO+) 
/ASSET_DATA_REPORT/HOST_LIST/HOST/VULN_INFO_LIST/VULN_INFO 


(QID, TYPE, PORT?, SERVICE?, FODN?, PROTOCOL?, SSL?, INSTANCE?, 
RESULT?, FIRST. FOUND?, LAST_FOUND?, TIMES FOUND?, 
VULN_STATUS?, LAST. FIXED?, FIRST. REOPENED?, LAST. REOPENED?, 


TIMES. REOPENED?, CVSS. FINAL?, CVSS3. FINAL?, TICKET. NUMBER?, 
TCKET. STATE?) 


/ASSET. DATA REPORT/HOST LIST/HOST/VULN INFO LIST/VULN INFO/OCID (#PCDATA) 
The Qualys ID (QID) assigned to the vulnerability. 


attribute: id id is required and is a reference ID (CDATA) that corresponds to a QID 
defined under the Glossary section. 


/ASSET_DATA_REPORT/HOST_LIST/HOST/VULN_INFO_LIST/VULN_INFO/TYPE (#PCDATA) 


The type of vulnerability check. A valid value is “Vuln” for a confirmed 
vulnerability, “Practice” for a potential vulnerability, or “Ig” for an 
information gathered. 


/ASSET_DATA_REPORT/HOST_LIST/HOST/VULN_INFO_LIST/VULN_INFO/PORT  (*PCDATA) 


The port number that the vulnerability was detected on. 
/ASSET_DATA_REPORT/HOST_LIST/HOST/VULN_INFO_LIST/VULN_INFO/SERVICE (#PCDATA) 


The service that the vulnerability was detected on. 

/ASSET. DATA REPORT/HOST. LIST/HOST/VULN INFO LIST/VULN INFO/FODN  (#PCDATA) 

The Fully Oualified Domain Name (FODN) associated with the host. 
DATA. REPORT/HOST. LIST/HOST/VULN INFO LIST/VULN INFO/PROTOCOL (#PCDATA) 


M 


(ASS 


M 


The protocol that the vulnerability was detected on. 
DATA. REPORT/HOST. LIST/HOST/VULN INFO LIST/VULN INFO/SSL  (#PCDATA) 


A flagindicating whether SSL was present on this host. If SSL was present, 
the SSL element appears with the value “true”. 


DATA. REPORT/HOST. LIST/HOST/VULN INFO LIST/VULN INFO/RESULT  (#PCDATA) 


tm 


/ASS 


/ASS 


tm 


Specific scan test results for the vulnerability, from the host assessment 
data. 


attribute: format format is implied and, 1f present, will be “table,” indicating that the results 
are a table that has columns separated by tabulation characters and rows 
separated by new-line characters 


/ASSET. DATA REPORT/HOST. LIST/HOST/VULN INFO LIST/VULN INFO/FIRST FOUND  (*PCDATA) 


[he date and time when the vulnerability was first detected on the host, in 
YYYY-MM-DDTHH:MM:SSZ format (UTC/GMT). 
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/ASSET. DATA REPORT/HOST. LIST/HOST/VULN INFO LIST/VULN INFO/LAST FOUND  (#PCDATA) 


[he date and time when the 
(from the most recent scan), 
(UTC/GMT). 


vulnerability was last detected on the host 
in YYYY-MM-DDTHH:MM:SSZ format 


/ASSET. DATA REPOR 


/HOS 


_LIST/HOST/VULN_INFO_LIST/VULN_INFO/TIMES_FOUND  (#PCDATA) 


The total number of times the vulnerability was detected on the host. 


/ASSET. DATA REPOR 


/HOS 


gathered.) 


A valid value is “New” for an 
time, Active for an active vu 
“Re-Opened” i 

and “Fixed” for a vulnerabili 
fixed. 


_LIST/HOST/VULN_INFO_LIST/VULN_INFO/VULN_STATUS (#PCDATA) 


The vulnerability status. (Note status levels do not apply to information 


active vulnerability that was detected one 
nerability that was detected at least two times, 


for an active vulnerability that was fixed and then re-opened, 


ty that was detected previously and is now 


/ASSET. DATA REPOR 


/H 


OS 


he last fixed date/time for 


_LIST/HOST/VULN_INFO_LIST/VULN_INFO/LAST_FIXED (#PCDATA) 


the vulnerability on the host. 


/ASSET. DATA REPOR 


/H 


OS 


he date and time when the 
YYYY-MM-DDTHH:MM:SSZ 


_LIST/HOST/VULN_INFO_LIST/VULN_INFO/FIRST_REOPENED  (#PCDATA) 


vulnerability was first reopened on the host, in 
format (UTC/GMT). 


/ASS 


M 


T. DATA REPOR 


/H 


OS 


O 
_LIST/HOST/VULN_INFO_LIST/VULN_INFO/LAST_REOPENED — (*PCDATA) 


he date and time when the 
YYYY-MM-DDTHH:MM:SSZ 


vulnerability was last reopened on the host, in 
t (UTC/GMT). 


/ASS 


M 


DATA REPOR 


/H 


OS 


O 
_LIST/HOST/VULN_INFO_LIST/VULN_INFO/TIMES_ REOPENED (#PCDATA) 
n 


he number of times the vu 


E 


erability on the host has been reopened. 


/ASS 


tri 


DATA REPOR 


/H 


OS 


_LIST/HOST/VULN_INFO_LIST/VULN_INFO/CVSS_FINAL  (#PCDATA) 


The final CVSS score calculated for the host. 


/ASSET. DATA REPOR 


tm 


/H 


OS 


The final CVSS3 score calcul 


defined by NIST, this is the Temporal score. 


_LIST/HOST/VULN_INFO_LIST/VULN_INFO/CVSS3_FINAL  (*PCDATA) 


ated for the host. If Access Vector is not 


/ASSET. DATA REPOR 


/H 


OS 


host. 


_LIST/HOST/VULN_INFO_LIST/VULN_INFO/TICKET_NUMBER  (#PCDATA) 


[he number of the ticket that applies to the vulnerability instance on the 


/ASSET_DATA_REPOR 


/H 


OS 


the host. 


_LIST/HOST/VULN_INFO_LIST/VULN_INFO/TICKET_STATE (#PCDATA) 


The state/status of the ticket that applies to the vulnerability instance on 


tm 


/ASSET. DATA REPOR 


/H 


OS 


_LIST/HOST/VULN_INFO_LIST/VULN_INFO/INSTANCE  (#PCDATA) 


The Oracle DB instance the vulnerability was detected on. 


/ASSET. DATA REPOR 


attribute: number 


M 


/H 


OS 


_LIST/HOST/ERROR  (#PCDATA 


number is implied and, if present, will be an error code. 
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Glossary 


The Glossary element is included in the XML report output only when you enable 
vulnerability details in the report template. 


XPath element specifications / notes 

/ASSET. DATA. REPORT/GLOSSARY (VULN. DETAILS LIST) 

/ASSET. DATA. REPORT/GLOSSARY/VULN. DETAILS LIS (VULN. DETAILS+) 
/ASSET. DATA. REPORT/GLOSSARY/VULN. DETAILS. LIST/VULN. DETAILS 


(QID, TITLE, SEVERITY, CATEGORY, CUSTOMIZED?, THREAT, 
THREAT_COMMENT?, IMPACT, IMPACT_COMMENT?, SOLUTION, 
SOLUTION_COMMENT?, COMPLIANCE?, CORRELATION?, PCI_FLAG, 
LAST_UPDATE?, CVSS_SCORE?, CVSS3_SCORE?, 


VENDOR_REFERENCE_LIST?, CVE ID LIST?, BUGTRAO ID LIST?) 
/ASSET. DATA REPORT/GLOSSARY/VULN DETAILS LIST/VULN DETAILS/OID — (#PCDATA) 
The Qualys ID (QID) assigned to the vulnerability. 


attribute: id id is required and is a reference ID (CDATA) that corresponds to a QID listed 
in the Host List section. 


/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/TITLE (#PCDATA) 
The title of the vulnerability. 
DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/SEVERITY (#PCDATA) 


/ASS 


tm 


he severity level assigned to the vulnerability. 
DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/CATEGORY (#PCDATA) 
t 


/ASS 


M 


[he category of the vulnerabili 


/ASSET. DATA REPORT/GLOSSARY/VULN DETAILS. LIST/VULN. DETAILS/CUSTOMIZED 
(DISABLED?, CUSTOM. SEVERITY?) 
T/GLOSSARY/VULN. DETAILS. LIST/VULN. DETAILS/CUSTOMIZED/DISABLED 

(#PCDATA) 


Identifies whether the vulnerability was disabled by a Manager users. If 
disabled, the vulnerabilities is filtered from reports. 


/ASSET_DATA_REPO 


ro) 


/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/CUSTOMIZED/ 

CUSTOM SEVERITY (#PCDATA) 
Identifies whether the severity level was changed. Managers can change 
the severity level by editing the vulnerability in the Oualys KnowledgeBase. 

/ASSET. DATA REPORT/GLOSSARY/VULN DETAILS LIST/VULN DETAILS/THREAT  (H*PCDATA) 
The Oualys provided description of the threat. 

/ASSET. DATA REPORT/GLOSSARY/VULN DETAILS LIST/VULN. DETAILS/THREAT. COMMENT (#PCDATA) 
User-defined description of the threat, if any. 

/ASSET. DATA REPORT/GLOSSARY/VULN DETAILS LIST/VULN DETAILS/IMPACT  (#PCDATA) 
The Qualys provided description of the impact. 

/ASSET. DATA REPORT/GLOSSARY/VULN DETAILS LIST/VULN. DETAILS/IMPACT. COMMENT (#PCDATA) 
User-defined description of the impact, if any. 


235 


XPath 


Gualys API (VM, PC) XML/DTD Reference 


element specifications / notes 


Chapter 6 - VM Reports XML 


/ASSET. DATA REPORT/GLOSSARY/VULN. DETAILS LIST/VULN. DETAILS/ 


SOLUTION (#PCDATA) 


The Qualys provided description of the so 
information is correlated with a vulnerabi 
from Trend Micro appears under the head 
includes a list of virtual patches anda lin 


ution. When virtual patch 

ity, the virtual patch information 
ing “Virtual Patches:”. This 

k to more information. 


/ASSET. DATA REPOR'I 
SOLUTION. COMMENT 


F/GLOSSARY/VULN. DETAILS 
(4PCDATA) 


LIST/VULN. DETAILS/ 


User-defined description of the so 


lution, if 


any. 


/ASSET. DATA REPORT/GLOSSARY/VULN. DETAI 


LS, LIST/VULN. DE'I 


A flag that indi 


TAILS/PCI_FLAG 


cates whether the vulnerability must be fixed to pass a PCI 


(#PCDATA) 


compliance scan. The value “1” indicates the vulnerability must be fixed to 

pass PCI compliance. The value “0” indicates the vulnerability does not 

need to be fixed to pass PCI compliance. 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/CORRELATION 

(EXPLOITABILITY?, MALWARE?) 

/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/CORRELATION/ 
EXPLOITABILITY (EXPLT_SRC)+ 

The <EXPLOITABILITY> element and its sub-elements appear only when 

there is exploitability information for the vulnerability from third party 

vendors and/or publicly available sources. 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/CORRELATION/ 
EXPLOITABILITY/EXPLT_SRC (SRC_NAME, EXPLT_LIST) 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/CORRELATION/ 
EXPLOITABILITY/EXPLT. SRC/SRC NAME — (4PCDATA) 

The name of a third party vendor or publicly available source of the 

vulnerability information. 
/ASSET. DATA REPORT/GLOSSARY/VULN. DETAILS LIST/VULN. DETAILS/CORRELATION/ 
EXPLOITABILITY/EXPLT. SRC/EXPLT. LIS (EXPLT)+ 
/ASSET. DATA REPORT/GLOSSARY/VULN. DETAILS LIST/VULN. DETAILS/CORRELATION/ 
EXPLOITABILITY/EXPLT. SRC/EXPLT. LIST/EXPL (REF, DESC, LINK?) 
/ASSET. DATA REPORT/GLOSSARY/VULN. DETAILS LIST/VULN. DETAILS/CORRELATION/ 
EXPLOITABILITY/EXPLT_SRC/EXPLT_LIST/EXPLT/REF (#PCDATA 

The CVE reference for the exploitability information 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/CORRELATION/ 
EXPLOITABILITY/EXPLT_SRC/EXPLT_LIST/EXPLT/DESC (#PCDATA) 

The description provided by the source of the exploitability information 

(third party vendor or publicly available source). 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/CORRELATION/ 
EXPLOITABILITY/EXPLT_SRC/EXPLT_LIST/EXPLT/LINK  (*PCDATA, 

A link to the exploit, when available. 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/CORRELATION/ 
MALWARE (MW_SRC)+ 

The <MALWARE> element and its sub-elements appear only when there is 

malware information for the vulnerability from Trend Micro. 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/CORRELATION/ 
MALWARE/MW SRC (SRC. NAME, MW LIST) 
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/ASSET. DATA REPORT/GLOSSARY/VULN. DETAILS. LIST/VULN. DETAILS/CORRELATION/ 
MALWARE/MW. SRC/SRC NAME  (*PCDATA) 

The name of the source of the malware information: Trend Micro. 
/ASSET. DATA REPORT/GLOSSARY/VULN. DETAILS. LIST/VULN. DETAILS/CORRELATION/ 
MALWARE/MW_SRC/MW_LIST (MW INFO)+ 
/ASSET. DATA REPORT/GLOSSARY/VULN. DETAILS. LIST/VULN. DETAILS/CORRELATION/ 

MALWARE/MW. SRG/MW. LIST/MW. INFO 
(MW. ID, MW. TYPE?, MW. PLATFORM?, MW. ALIAS?, MW. RATING?, 
MW. LINK?) 
/ASSET. DATA REPORT/GLOSSARY/VULN. DETAILS LIST/VULN. DETAILS/CORRELATION/ 
MALWARE/MW_SRC/MW_LIST/MW_INFO /MW_ID — (#PCDATA) 

The malware name/ID assigned by Trend Micro. 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/CORRELATION/ 
MALWARE/MW_SRC/MW_LIST/MW_INFO /MW_TYPE — (4PCDATA) 

The type of malware, such as Backdoor, Virus, Worm or Trojan. 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/CORRELATION/ 
MALWARE/MW_SRC/MW_LIST/MW_INFO /MW_PLATFORM  (*PCDATA) 

A list of the platforms that may be affected by the malware. 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/CORRELATION/ 
MALWARE/MW_SRC/MW_LIST/MW_INFO /MW. ALIAS  (#PCDATA) 

A list of other names used by different vendors and/or publicly available 

sources to refer to the same threat. 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/CORRELATION/ 
MALWARE/MW_SRC/MW_LIST/MW_INFO /MW. RATING  (#PCDATA) 

The overall risk rating as determined by Trend Micro: Low, Medium or High. 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/CORRELATION/ 
MALWARE/MW_SRC/MW_LIST/MW_INFO /MW_LINK (#PCDATA 

A link to malware details. 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/LAST_UPDATE (#PCDATA) 

The date and time when the vulnerability was last updated in the Qualys 

KnowledgeBase, in YYYY-MM-DDTHH:MM:SSZ format (UTC/GMT). 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/CVSS_SCORE 

CVSS_BASE?, CVSS_TEMPORAL?) 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/CVSS_SCORE/CVSS_BASE 


attribute: source 


#PCDATA) 


Note: This attribute is never present 


CVSS2 Base score defined for the vulnerability. 


in XML output for this release. 


/ASSET_DAT 


CVSS_TEMPORAL 


TA. REPORT/GLOSSARY/VULN DETAILS LIST/VULN. DETAILS/CVSS. SCORE/ 


(4PCDATA) 


CVSS2 Temporal score defined for the vulnerability. 


/ASSET. DAT 


TA. REPORT/GLOSSARY/VULN DETAILS LIST/VULN DETAILS/CVSS3 SCORE 


(CVSS3_BASE?, CVSS3. TEMPORAL?) 


MAS SEINE 


DAT 


[TA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETA 


(#PCDATA) 


CVSS3 Base score defined for the vulnerability. 


LS/CVSS3_SCORE/CVSS3_BASE 
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/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/CVSS3_SCORE/ 
CVSS3_TEMPORAL (#PCDATA) 

CVSS3 Temporal score defined for the vulnerability. 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/VENDOR_REFERENCE_LIST 

(VENDOR_REFERENCE+) 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/VENDOR_REFERENCE_LIST/ 
VENDOR REFERENCE (ID, URL) 

The name of a vendor reference, and the URL to this vendor reference. 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/reference_list/reference/ID 

(#PCDATA) 

The name of a vendor reference, CVE name, or Bugtraq ID. 

/ASSET. DATA REPORT/GLOSSARY/VULN. DETAILS LIST/VULN. DETAILS/reference list/reference/URL 

(#PCDATA) 

The URL to the vendor reference, CVE name, or Bugtraq ID. 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/CVE_ID_LIST (CVE ID+) 
/ASSET. DATA REPORT/GLOSSARY/VULN DETAILS LIST/VULN. DETAILS/CVE ID LIST/CVE.ID (ID, URL) 

A CVE name assigned to the vulnerability, and the URL to this CVE name. 


CVE (Common Vulnerabi 


ities and Exposures) is a 


list of common names for 


publicly known vulnerabilities and exposures. Through open and 
collaborative discussions, the CVE Editorial Board determines which 
vulnerabilities or exposures are included in CVE. If the CVE name starts 
with CAN (candidate) then it is under consideration for entry into CVE. 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/BUGTRAQ ID LIST 
(BUGTRAO ID+) 
/ASSET. DATA REPORT/GLOSSARY/VULN. DETAILS LIST/VULN. DETAILS/BUGTRAO ID LIST/BUGTRAO ID 
(ID, URL) 
A Bugtrag ID assigned to the vulnerability, and the URL to this Bugtrag ID. 
/ASSET. DATA REPORT/GLOSSARY/VULN. DETAILS LIST/VULN. DETAILS/COMPLIANCE 
(COMPLIANCE_INFO+) 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/COMPLIANCE/ 
COMPLIANCE_INFO (COMPLIANCE_TYPE, COMPLIANCE_SECTION, COMPLIANCE_DESCRIPTION) 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/COMPLIANCE/ 
COMPLIANCE INFO/COMPLIANCE TYPE (#PCDATA) 
The type of a compliance policy or regulation that is associated with the 
vulnerability. A valid value is: HIPAA, GLBA, CobIT or SOX. 
/ASSET_DATA_REPORT/GLOSSARY/VULN_DETAILS_LIST/VULN_DETAILS/COMPLIANCE/ 
COMPLIANCE INFO/COMPLIANCE SECTION (#PCDATA) 
The section of a compliance policy or regulation associated with the 
vulnerability. 
/ASSET. DATA REPORT/GLOSSARY/VULN. DETAILS. LIST/VULN. DETAILS/COMPLIANCE/ 


COMPLIANCE _ 


NFO/COMPLIANCE_DESCRIPTION 


(#PCDATA) 


The description of a compliance policy or regulation associated with the 


vulnerability. 
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/ASSET_DATA_REPORT/NON_RUNNING_KERNELS (NON. RUNNING KERNEL*) 


/ASSET. DATA REPORT/NON. RUNNING KERNELS/NON. RUNNING KERNEL 


INDRUS (OVID), WP, SHEN AEN NC) 
/ASSET_DATA_REPORT/NON_RUNNING_KERNELS/NON_RUNNING_KERNEL/NRK_QID (#PCDATA) 


B 


The vulnerability QID with 
DATA_REPORT/NON_RUNNING_KERNELS/NON_RUNNING_KERNEL/IP (#PCDATA) 


on-running kernel. 


VASS 


M 


The IP address related to the vulnerability with non-running kernel. 
DATA. REPORT/NON RUNNING KERNELS/NON RUNNING KERNEL/SEVERITY  (*PCDATA) 


/ASS 


M 


The severity level of the vulnerability with non-running kernel. 


Appendices 


XPath element specifications / notes 
/ASSET DATA REPORT/APPENDICES (NO_RESULTS?, NO VULNS?, TEMPLATE. DETAILS?) 


/ASSET. DATA. REPORT/APPENDICES/NO. RESULTS (IP. LIST) 
A list of IPs for which there are no available scan results. This includes 
hosts that were not “alive” at the time of the scan. 

/ASSET. DATA. REPORT/APPENDICES/NO. RESULTS /IP LIST (RANGE”) 


network_id attribute identifies the asset's network ID when the networks 
feature is enabled in the subscription. 


s 
/ASSET_DATA_REPORT/APPENDICES/NO_RESULTS/IP_LIST/RANGE (START, END) 
/ASSET_DATA_REPORT/APPENDICES/NO_RESULTS/IP_LIST/RANGE/START (#PCDATA) 
The first IP address in the range. 
NDICES/NO_RESULTS/IP_LIST/RANGE/END (#PCDATA) 
The last IP address in the range. 

NDICES/NO_VULNS (IP_LIST) 


A list of IPs for which you have saved scan results but the results are not 
displayed because all vulnerability checks have been filtered out. To display 
these results, make changes to the filter settings in your report template. 


tri 


/ASS 


tm 


DATA_REPORT/APP 


mi 


/ASS 


tm 


T_DATA_REPORT/APP 


m 


This appendix also lists IPs for which no vulnerabilities were detected by 
the service. Verify the scan options specified in your option profile. 


NDICES/NO. VULNS/IP LIST (RANGE*) 


network. id attribute identifies the asset's network ID when the networks 
feature is enabled in the subscription. 


/ASSET. DATA REPORT/APPENDICES/NO VULNS/IP LIST/RANGE (START, END) 
/ASSET. DATA REPORT/APPENDICES/NO VULNS/IP LIST/RANGE/START  (#PCDATA) 
The first IP address in the range. 
NDICES/NO_VULNS/IP_LIST/RANGE/END - (4PCDATA) 


The last IP address in the range. 


/ASS 


tm 


DATA_REPORT/APP 


m 


/ASS 


M 


DATA. REPORT/APP 


m 
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/ASSET_DATA_REPORT/APPENDICES/1 


ENTE 


DETAILS 


(VULN_LISTS?, SELECTIV. 
DED_VULNS?, RES 
DED_CATEGORIES? 


EXC 
EXC 


) 


E_VULNS?, EXCLUDED_VULN_LISTS?, 
ULTING_VULNS?, FILTER. SUMMARY?, 


PORT/APPENDICES/ 


The 


/ASSET. DATA REPOR'I N 


ti 


EMPLAT 


DETAILS/VULN_ 


tle of each included searc 


LISTS (4PCDATA) 


h list when specified in the report template. 


/ASS _REPORT/APPENDICES/ 


EMPLA 


_DETAILS/SELECTIVE_VULNS 


(#PCDATA) 


PO DICES/ 


/ASS 


tm 


_DATA_REPORT/APP 


he ti 


EMPLA 


OD EAMES EXC 


tle of each excluded search 


DED_VULN_LISTS (#PCDATA) 


list when specified in the report template. 


GES? 


A 
report 


/ASS PORT/A 


M 


REPORT/APP 


EMPLA 


l excluded OI 
temp 


DETAILS/EXCLU 


Ds contained in 
ate. 


DED. VULNS 


(4PCDATA) 


the excluded search lists specified in the 


PO CES/ 


This elem 
lists were 
contains 


/ASSET. DATA. REPORT/APP 


EMPLA 


ent appears when both 
specified in the report 
the resulting list of included QIDs, where a 
been removed. No value appears i 


DETAILS/RESULTING_VULNS 


(#PCDATA\ 


included search lists and excluded search 
emplate. When present, this element 

l excluded QIDs have 
f there were no resulting QIDs. 


t 


/ASSET_DATA_REPORT/APPENDICES/TEMPLATE_DETAILS/FILTER_SUMMARY 


Asummary of the 
example, you may 
vulnerability checks (active, disabled and ignored) for vul 


potential vulnerabilities and information gathered. 


filters set on 


filter particula 


(4PCDATA) 


the Filter tab in the report template. For 
status levels, severity levels and types of 
nerabilities, 


/ASSET. DATA REPORT/APPENDICES/TEMPLATE. DETAILS/EXCLUDED. CATEGORIES 


A list of vulnerabili 


ty categories 


(#PCDATA) 
that were filtered out of the report. Identify 


which vulnerability categories to include on the Filter tab in the report 


template. 
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Chapter 7 - VM Scorecard Reports XML 


This section describes the XML output returned from VM Scorecard Report API reguests. 
Asset Group Vulnerability Report 

Ignored Vulnerabilities Report 

Most Prevalent Vulnerabilities Report 

Most Vulnerable Hosts Report 

Patch Scorecard Report 


Asset Group Vulnerability Report 
API used 


<platform API server>/api/2.0/fo/report/scorecard/ 


DTD for Asset Group Vulnerability Report 
<platform API server>/asset group scorecard.dtd 


A recent DTD is shown below. 


<?xml version="1.0" encoding="UTF-8"?> 

<!ELEMENT ASSET GROUP SCORECARD (ERROR | (HEADER, SUMMARY, RESULTS) ) > 
<!ELEMENT ERROR (#PCDATA) > 
<!ATTLIST ERROR number CDATA #IMP 


IED> 


<!-- G HEADER --> 
<!ELEMENT HEADER (NAME, GENERATION DATETIME, COMPANY INFO, USER_INFO) > 
<!ELEMENT NAME (#PCDATA) > 
M 
M 


A 
Q 
Zz 


<!ELE RATION DATETIME (#PCDATA) > 
<!ELEMENT SCORECARD TYPE (#PCDATA) > 


<!ELEMENT COMPANY INFO (NAME, ADDRESS, CITY, STAT 
<!ELEMENT ADDRESS (#PCDATA) > 

<!ELEMENT CITY (#PCDATA) > 
<!ELEMENT STATE (#PCDATA) > 
<!ELEMENT COUNTRY (#PCDATA) > 
<!ELEMENT ZIP CODE (#PCDATA) > 


El 


, COUNTRY, ZIP CODE) > 


T 


<!ELEMENT USER_INFO (NAME, USERNAME, ROLE)> 
<!ELEMENT USERNAME (#PCDATA)> 
<!ELEMENT ROLE (#PCDATA)> 


<!-- TARGETING, FILTERING, SORTING CRITERIA --> 
<!ELEMENT SUMMARY (PARAM LIST, DETAILS?)> 
<!ELEMENT PARAM LIST (PARAM+)> 

<!ELEMENT PARAM (KEY, VALUE)> 
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<! 
<! 
<! 
<! 
<! 
<! 


<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
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RNE 


DAY 31 TO 60 COUNT (#PCDATA) > 
DAY 61 TO 90 COUNT (#PCDATA) > 
DAY 91 TO 180 COUNT (#PCDATA) > 
DAY 181 TO 270 COUNT (#PCDATA) > 
DAY 271 TO 365 COUNT (#PCDATA) > 


NON RUNNING KE 


NON RUNNING KE 


RNE 


1S (NON RUNNING KERNEL*) > 
1 (NRK OID*, IP*, SEVERITY*) > 


IP (#PCDATA) > 


NRK OID (#PCDATA) > 


SEVERITY (#PCDATA) > 
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U 


3 


> 


OSTS?, 
NUM SEV 3?, 
OSTS?, 


NT?, 
1 TO 60 COUNT?, 


E 


NT?) > 


ENT KEY (#PCDATA) > 
ENT VALUE (#PCDATA) > 
RESULTS --> 

ENT RESULTS (ASSET GROUP LIST, NON RUNNING KERNELS?) > 

ENT ASSET GROUP LIST (ASSET GROUP+) > 

ENT ASSET GROUP (TITLE, STATS)> 

ENT TITLE (#PCDATA) > 

ENT STATS (HOSTS, NUM SEV 5?, NUM SEV 5 VULNERABLE 
NUM SEV 42, NUM SEV 4 VULNERABLE HOSTS?, 
NUM SEV 3 VULNERABLE HOSTS?, VULNERABLE_ 
VULNERABLE HOSTS PCT?,VULNERABLE HOSTS GOAL?, 
CONFIRMED COUNT?, POTENTIAL COUNT?, NEW COUNT?, 
ACTIVE COUNT?, FIXED COUNT?, REOPENED CO 
IGNORED COUNT?, DAY 0 TO 30 COUNT?, DAY. 
DAY 61 TO 90 COUNT?, DAY 91 TO 180 COUNT? 
DAY 181 TO 270 COUNT?, DAY 271 TO 365 COU 

ENT HOSTS (#PCDATA) > 

ENT NUM SEV 5 (#PCDATA) > 

ENT NUM SEV 5 VULNERABLE HOSTS (#PCDATA) > 

ENT NUM SEV 4 (#PCDATA) > 

ENT NUM SEV 4 VULNERABLE HOSTS (#PCDATA) > 

ENT NUM SEV 3 (#PCDATA) > 

ENT NUM SEV 3 VULNERABLE HOSTS (#PCDATA) > 

ENT VULNERABLE HOSTS (#PCDATA) > 

ENT VULNERABLE HOSTS PCT (#PCDATA) > 

ENT VULNERABLE HOSTS GOAL (#PCDATA) > 

ENT CONFIRMED COUNT (#PCDATA) > 

ENT POTENTIAL COUNT (#PCDATA) > 

ENT NEW COUNT (#PCDATA) > 

ENT ACTIVE COUNT (#PCDATA) > 

ENT FIXED COUNT (#PCDATA) > 

ENT REOPENED COUNT (#PCDATA) > 

ENT IGNORED COUNT (#PCDATA) > 

ENT DAY 0 TO 30 COUNT (#PCDATA)> 

N 

N 

N 

N 

N 

N 

N 

N 

N 

N 
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XPaths for Asset Group Vulnerability Report 


XPath element specifications / notes 
/ASSET. GROUP SCORECARD (ERROR | (HEADER, SUMMARY, RESULTS)) 


/ASSET GROUP SCORECARD/ERROR  (#PCDATA) 


An error message. 


attribute: number An error code, when available 
/ASSET_GROUP_SCORECARD/HEADER 
(NAME, GENERATION_DATETIME, COMPANY_INFO, USER_INFO) 
/ASSET_GROUP_SCORECARD/HEADER/NAME (#PCDATA) 


The report header name is “Asset Group Vulnerability Report”. 
/ASSET_GROUP_SCORECARD/HEADER/GENERATION_DATETIME (#PCDATA) 


The date and time when the report was generated. 
/ASSET_GROUP_SCORECARD/SCORECARD_TYPE (#PCDATA) 


he scorecard type. 
/ASSET_GROUP_SCORECARD/HEADER/COMPANY_INFO 
(NAME, ADDRESS, CITY, STATE, COUNTRY, ZIP_CODE) 
The user’s company name and address, as defined in the user’s account. 
/ASSET_GROUP_SCORECARD/HEADER/USER_INFO (NAME, USERNAME, ROLE) 
/ASSET_GROUP_SCORECARD/HEADER/USER_INFO/NAME (#PCDATA) 


The name of the user who generated the scorecard. 
/ASSET_GROUP_SCORECARD/HEADER/USER_INFO/USERNAME (#PCDATA) 


The user login ID of the user who generated the scorecard. 
/ASSET_GROUP_SCORECARD/HEADER/USER_INFO/ROLE (#PCDATA) 


The user role assigned to the user who generated the scorecard: Manager, 
nit Manager, Scanner or Reader. 


U 
ECARD/SUMMARY  (PARAM_LIST, DETAILS?) 


/ASSET_GROUP_SCOR 
/ASSET_GROUP_SCORECARD/SUMMARY/PARAM_LIST (PARAM+) 
/ASSET_GROUP_SCORECARD/SUMMARY/PARAM_LIST/PARAM (KEY, VALUE) 
/ASSET_GROUP_SCORECARD/SUMMARY/PARAM_LIST/PARAM/KEY (#PCDATA) 

A scorecard parameter name in the report source settings. 
/ASSET_GROUP_SCORECARD/SUMMARY/PARAM_LIST/PARAM/VALUE (#PCDATA) 


A scorecard parameter value in the report source settings. 


/ASSET_GROUP_SCORECARD/RESULTS (ASSET_GROUP_LIST, NON. RUNNING KERNELS?) 
/ASSET. GROUP. SCORECARD/RESULTS/ASSET. GROUP LIST (ASSET_GROUP+) 

/ASSET. GROUP. SCORECARD/RESULTS/ASSET. GROUP (TITLE, STATS) 

/ASSET. GROUP. SCORECARD/RESULTS/ASSET. GROUP/TITLE (#PCDATA) 


An asset group title. 
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element specifications / notes 


/ASSET. GROUP. SCORECARD/RESULTS/ASSET. GROUP/STATS 


(HOSTS, NUM. SEV. 5?, NUM_SEV_5_VULNERABLE_HOSTS?, NUM SEV 47, 
NUM. SEV 4 VULNERABLE HOSTS?, NUM SEV 372, 


NUM. SEV 3 VULNERABLE HOSTS?, VULNERABLE HOSTS?, 


VULNERABLE HOSTS PCT?, VULNERABLE_HOSTS_GOAL?, 
CONFIRMED COUNT?, POTENTIAL COUNT?, NEW COUNT?, 
ACTIVE COUNT?, FIXED COUNT?, REOPENED_COUNT?, 


GNORED COU 
ID) (511. 110) 19) 


T?, DAY 0 TO 30 COUNT?, DAY 31 TO 60 COUNT?, 
| COUNT?, DAY 91 TO 180 COUNT?, 
DAY 181 TO 270 COUNT?, DAY 271 TO 365 COUNT?) 


/ASSE1 


he number of 


P_GROUP_SCORECARD/RESULTS/ASSET_GRO 


UP/S 


live hos 


'ATS/HOSTS (*PCDATA) 


ts in the asset group that were scanned. 


/ASS 


tri 
H 


he number of 


[ GROUP. SCORECARD/RESULTS/ASSET. GRO 


UP/S 


severity 


S/NUM. SEV. 5 (#PCDATA) 


/ASS 


tm 
E 


[ GROUP SCORECARD/RESULTS/ASSET. GRO 
(#PCDATA) 


he number of ho 


UP/S 


sts in 


A 
5 vulnerabilities across all hosts in the asset group. 
'ATS/NUM_SEV_5_VULNERABLE_HOSTS 


the asset group with severity 5 vulnerabilities. 


ASSET 


l GROUP SCORECARD/RESULTS/ASSE 


he number of 


GIRO) 


UP/S 


severity 


'ATS/NUM. SEV. 4 (#PCDATA) 


4 vulnerabilities across all hosts in the asset group. 


/ASSE] 


T GROUP SCORECARD/RESULTS/ASSET. GRO 
(#PCDATA) 


he number of ho 


UP/S 


sts in 


‘ATS/NUM_SEV_4_VULNERABLE_ HOSTS 


the asset group with severity 4 vulnerabilities. 


PASSEN 


tT 


he number of 


l GROUP SCORECARD/RESULTS/ASSET. GRO 


UP/S 


severity 


'ATS/NUM_SEV_3 (#PCDATA) 


3 vulnerabilities across all hosts in the asset group. 


MASSEN 


l GROUP SCORECARD/RESULTS/ASSE 


(#PCDATA) 


he number of ho 


GRO 


UP/S 


sts in 


'ATS/NUM_SEV_3_VULNERABLE_HOSTS 


the asset group with severity 3 vulnerabilities. 


/ASSE] 


P_GROUP_SCORECARD/RESULTS/ASSET_GRO 


he number of ho 
selection for th 


UP/S 


sts in 


e report. 


'ATS/VULNERABLE_HOSTS 
the asset group that are vulnerable to the QID 


/ASSE] 


P_GROUP_SCORECARD/RESULTS/ASSE 


GRO 


The percentage of 
selection for th 


UP/S 


'ATS/VULNERABLE_HOSTS_PCT 


hosts in the asset group that are vulnerable to the QID 
e report. 


/ASSE] 


P_GROUP_SCORECARD/RESULTS/ASSET_GRO 


Appears only when Business Risk Goal is selected in the scorecard report 
template.) Indicates whether the asset group meets the level of acceptable 
isk. A value of 1 means that the group passes (the percentage of vulnerable 


UP/S 


'ATS/VULNERABLE_HOSTS_GOAL 


hosts was equal to or less than the business risk goal set in the template), 
and a value of 0 means the group fails (the percentage of vulnerable hosts 
was greater than the business risk goal set in the template). 


/ASSE] 


P_GROUP_SCORECARD/RESULTS/ASSE 


GRO 


[The number of Co 


UP/S 


nfirmed vulnerabilities. 


'ATS/CONFIRMED COUNT 


/ASSE'TI 


l GROUP SCORECARD/RESULTS/ASSE 


GRO 


[The number of Po 


UP/S 


'ATS/POTENTIAL COUNT 


tential vulnerabilities. 


MASSEI 


[F GROUP SCORECARD/RESULTS/ASSET. GROUP/S 


The number of vu 


ATS/NEW. COUNT 


nera 


bilities with status New. 
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XPath element specifications / notes 
/ASSET. GROUP. SCORECARD/RESULTS/ASSET. GROUP/STATS/ACTIVE. COUNT 


he number of vulnerabilities with status Active. 


/ASSET. GROUP. SCORECARD/RESULTS/ASSET. GROUP/STATS/ FIXED. COUNT 


he number of vulnerabilities with status Fixed. 


/ASSET. GROUP. SCORECARD/RESULTS/ASSET. GROUP/STATS/REOPENED. COUNT 


he number of vulnerabilities with status Re-Opened. 
/ASSET. GROUP. SCORECARD/RESULTS/ASSET. GROUP/STATS/IGNORED. COUNT 


he number of vulnerabilities with status Ignored. 


/ASSET. GROUP. SCORECARD/RESULTS/ASSET. GROUP/STATS/DAY 0 TO 30 COUNT 

The number of vulnerabilities detected in the last 30 days. 
/ASSET. GROUP. SCORECARD/RESULTS/ASSET. GROUP/STATS/DAY 31 TO 60 COUNT 

The number of vulnerabilities detected 31 to 60 days ago. 
/ASSET. GROUP. SCORECARD/RESULTS/ASSET. GROUP/STATS/DAY 61 TO 90 COUNT 

The number of vulnerabilities detected 61 to 90 days ago. 
/ASSET. GROUP. SCORECARD/RESULTS/ASSET. GROUP/STATS/DAY 91 TO 180 COUNT 

The number of vulnerabilities detected 91 to 180 days ago. 
/ASSET. GROUP. SCORECARD/RESULTS/ASSET. GROUP/STATS/DAY 181 TO 270 COUNT 

The number of vulnerabilities detected 181 to 270 days ago. 
/ASSET. GROUP. SCORECARD/RESULTS/ASSET. GROUP/STATS/DAY 271 TO 365 COUNT 

The number of vulnerabilities detected 271 to 365 days ago. 
/ASSET. GROUP. SCORECARD/RESULTS/NON. RUNNING KERNELS (NON. RUNNING KERNEL*) 
/ASSET. GROUP. SCORECARD/RESULTS/NON. RUNNING KERNELS/NON. RUNNING KERNEL (NRK_QID*, IP*, 
SEVERITY*)> 


/ASSET_GROUP_SCORECARD/RESULTS/NON_RUNNING_KERNELS/NON_RUNNING_KERNEL/NRK_QID 


(#PCDATA 


The QID assigned to a vulnerability detected on a non-running kernel. 
/ASSET_GROUP_SCORECARD/RESULTS/NON_RUNNING_KERNELS/NON_RUNNING_KERNEL/IP (#PCDATA) 
The IP address of the host with the non-running kernel vulnerability. 


/ASSET_GROUP_SCORECARD/RESULTS/NON_RUNNING_KERNELS/NON_RUNNING_KERNEL/SEVERITY 
(#PCDATA\ 


The severity of the vulnerability detected on a non-running kernel. 
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Ignored Vulnerabilities Report 


API used 


<platform API server>/api/2.0/fo/report/scorecard/ 


DTD for Ignored Vulnerabilities Report 
<platform API server>/ignored_vulns_scorecard.dtd 


A recent DTD is shown below. 


<?xml version="1.0" encoding="UTF-8"?> 


<!-- QUALYS IGNORED VULNS SCORECARD DTD --> 
<!ELEMENT IGNORED VULNS SCORECARD (ERROR | (HEADER, SUMMARY, RESULTS) ) > 
<!ELEMENT ERROR (#PCDATA) > 


<!ATTLIST ERROR number CDATA #IMPLIED> 


<!-- GENERIC HEADER --> 
<!ELEMENT HEADER (NAME, GENERATION DATETIME, COMPANY INFO, USER_INFO) > 
<!ELEMENT NAME (#PCDATA) > 
<!ELEMENT GENERATION DATETIME (#PCDATA) > 
<!ELEMENT SCORECARD TYPE (#PCDATA) > 


<!ELEMENT COMPANY INFO (NAME, ADDRESS, CITY, STATE, COUNTRY, ZIP CODE) > 
<!ELEMENT ADDRESS (#PCDATA) > 

<!ELEMENT CITY (#PCDATA) > 
<!ELEMENT STATE (#PCDATA) > 
<!ELEMENT COUNTRY (#PCDATA) > 
<!ELEMENT ZIP_CODE (#PCDATA) > 


<!ELEMENT USER INFO (NAME, USERNAME, ROLE) > 
<!ELEMENT USERNAME (#PCDATA) > 
<!ELEMENT ROLE (#PCDATA) > 


<!-- TARGETING, FILTERING, SORTING CRITERIA --> 
<!ELEMENT SUMMARY (PARAM LIST) > 

<!ELEMENT PARAM LIST (PARAM+) > 

<!ELEMENT PARAM (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 

<!ELEMENT VALUE (#PCDATA) > 


<!-- RESULTS --> 

<!ELEMENT RESULTS (ASSET GROUP_LIST)> 
M 
M 


<!ELEMENT ASSET GROUP LIST (ASSET GROUP+) > 
<!ELEMENT ASSET GROUP (TITLE, DETECTION LIST) > 


<!ELEMENT DETECTION LIST (DETECTION+) > 
<!ELEMENT DETECTION (HOST, VULN, TICKET) > 


<!ELEMENT HOST (IP, DNS?, N 
<!ELEMENT IP (#PCDATA) > 


Ei 


TBIOS?, 052?) > 
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<!ELEMENT DNS (#PCDATA) > 

<!ELEMENT NETBIOS (#PCDATA) > 

<!ELEMENT OS (#PCDATA) > 

<!ELEMENT VULN (QID, TITLE, FIRST FOUND DATE?, SEVERITY, TYPE, 
CVSS_BASE?, CVSS TEMPORAL?) > 

<!ELEMENT QID (#PCDATA) > 

<!ELEMENT TITLE (#PCDATA) > 

<!ELEMENT FIRST FOUND DATE (#PCDATA) > 

<!ELEMENT SEVERITY (#PCDATA) > 

<!ELEMENT TYPE (#PCDATA) > 

<!ELEMENT CVSS BASE (#PCDATA) > 

<!ELEMENT CVSS TEMPORAL (#PCDATA) > 

<!ELEMENT TICKET (NUMBER, STATE DAYS, LAST MODIFIED DATE, COMMENTS?, 

ASSIGNEE NAME?, ASSIGNEE EMATL?) > 

<!ELEMENT NUMBER (#PCDATA) > 

<!ELEMENT STATE DAYS (#PCDATA) > 

<!ELEMENT LAST MODIFIED DATE (#PCDATA) > 

<!ELEMENT COMMENTS (#PCDATA) > 

<!ELEMENT ASSIGNEE NAME (#PCDATA) > 

<!ELEMENT ASSIGNEE EMAIL (#PCDATA) > 


XPaths for Ignored Vulnerabilities Report 


XPath 


eleme 


nt specifications / notes 


/IGNOR. 


EDmV WEN Sms GOR 


ECARD 


(ERROR | (HEADER, SUMMARY, RESULTS)) 


/IGNOR 


ED_VULNS_SCOR 


ECARD/ERROR 


(4PCDATA) 


An error message. 


bute: number 


An error code, when available 


ED_VULNS_SCOR 


ECARD/HEAD 


ER 
NAME, GENERATION_DATETIME, COMPANY_INFO, USER_INFO) 


D_VULNS_SCOR 


ECARD/HEAD 


ER/NAME (#PCDATA) 


he report header name is “Ignored Vulnerabilities Report”. 


D VULNS SCOR 


ECARD/HEAD 


ER/GENERATION_DATETIME (#PCDATA) 


he date and time when the report was generated. 


D_VULNS_SCOR 


ECARD/HEAD 


The s 


Ç 


R/SCORECARD TYPE (#PCDATA) 


orecard type. 


D_VULNS_SCOR 


ECARD/HEAD 


(NAM 


The us 


R/COMPANY_INFO 
E, ADDRESS, CITY, STATE, COUNTRY, ZIP_CODE) 


er's company name and address, as defined in the user's account. 


/IGNORED_VULNS_SCORECARD/ 


EADE 


R/USER_INFO (NAME, USERNAME, ROLE) 


/IGNORED_VULNS_SCORECARD/ 


EADE 


R/USER_INFO/NAME (#PCDATA) 


The name of the user who generated the scorecard. 
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XPath element specifications / notes 
/IGNORED VULNS. SCORECARD/HEADER/USER INFO/USERNAME (#PCDATA) 


The user login ID of the user who generated the scorecard. 
/IGNORED_VULNS_SCORECARD/HEADER/USER_INFO/ROLE (#PCDATA) 


The user role assigned to the user who generated the scorecard: Manager, 
Unit Manager, Scanner or Reader.. 


NORED_VULNS_SCORECARD/SUMMARY (PARAM_LIST) 
NORED_VULNS_SCORECARD/SUMMARY/PARAM_LIST (PARAM+) 
NORED_VULNS_SCORECARD/SUMMARY/PARAM_LIST/PARAM (KEY, VALUE) 
NORED_VULNS_SCORECARD/SUMMARY/PARAM_LIST/PARAM/KEY (#PCDATA) 

A scorecard parameter name in the report source settings. 
/IGNORED_VULNS_SCORECARD/SUMMARY/PARAM_LIST/PARAM/VALUE (#PCDATA) 


A scorecard parameter value in the report source settings. 


AIAS 
0) OQ) A O 


/IGNORED_VULNS_SCORECARD/RESULTS (ASSET. GROUP LIST 
/IGNORED VULNS. SCORECARD/RESULTS/ASSET. GROUP LIST (ASSET_GROUP+) 
/IGNORED VULNS. SCORECARD/RESULTS/ASSET. GROUP LIST/ASSET. GROUP (TITLE, DETECTION LIST) 
/IGNORED. VULNS. SCORECARD/RESULTS/ASSET. GROUP. LIST/ASSET. GROUP/TITLE 
An asset group title. 
/IGNORED VULNS SCORECARD/RESULTS/ASSET. GROUP LIST/ASSET. GROUP/DETECTION LIS 
(DETECTION+) 
/IGNORED_VULNS_SCORECARD/RESULTS/ASSET_GROUP_LIST/ASSET_GROUP/DETECTION_LIST/ 
DETECTION (HOST, VULN, TICKET 
/IGNORED_VULNS_SCORECARD/RESULTS/ASSET_GROUP_LIST/ASSET_GROUP/DETECTION_LIST/ 
DETECTION/HOST - (IP, DNS?, NETBIOS?, OS? 


Information about the host, including its IP address and this additional 
information when available: DNS hostname, NetBIOS hostname, and 
operating system. 


/IGNORED_VULNS_SCORECARD/RESULTS/ASSET_GROUP_LIST/ASSET_GROUP/DETECTION_LIST/ 
DETECTION/VULN 


(QID, TITLE, FIRST. FOUND DATE?, SEVERITY, TYPE, CVSS_BASE?, 
CVSS_TEMPORAL?) 


Information about the vulnerability detected. CVSS Base and Temporal 
scores are included when the CVSS Scoring feature is enabled for the 
subscription. 


/IGNORED_VULNS_SCORECARD/RESULTS/ASSET_GROUP_LIST/ASSET_GROUP/DETECTION_LIST/ 
DETECTION/TICKET 


(NUMBER, STATE. DAYS, LAST. MODIFIED DATE, COMMENTS?, 
ASSIGNEE_NAME?, ASSIGNEE EMAIL?) 


Information about a related ticket if one exists. Information includes the 
ticket number, the number of days the ticket has been in the 
Closed/Ignored state, and the date the ticket was created or last modified, 
any user-defined comments, and the ticket assignee's name and email 
address. 
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Most Prevalent Vulnerabilities Report 


API used 


<platform API server>/api/2.0/fo/report/scorecard/ 


DTD for Most Prevalent Vulnerabilities Report 
<platform API server>/most_prevalent_vulns_scorecard.dtd 


A recent DTD is shown below. 


<?xml version="1.0" encoding="UTF-8"?> 
<!-- QUALYS MOST PREVALENT VULNS SCORECARD DTD --> 


<!ELEMENT MOST PREVALENT VULNS SCORECARD (ERROR | (HEADER, SUMMARY, 
RESULTS) ) > 


<!ELEMENT ERROR (#PCDATA) > 
<!ATTLIST ERROR number CDATA #IMPLIED> 


HEADER --> 

ENT HEADER (NAME, GENERATION DATETIME, COMPANY INFO, USER_INFO)> 
E (#PCDATA) > 

ENT GENERATION DATETIME (#PCDATA) > 

ENT SCORECARD TYPE (#PCDATA) > 


<!ELEMENT COMPANY INFO (NAME, ADDRESS, CITY, STATE, COUNTRY, ZIP CODE) > 
<!ELEMENT ADDRESS (#PCDATA) > 

<!ELEMENT CITY (#PCDATA) > 
<!ELEMENT STATE (#PCDATA) > 
<!ELEMENT COUNTRY (#PCDATA) > 
<!ELEMENT ZIP CODE (#PCDATA) > 


<!ELEMENT USER INFO (NAME, USERNAME, ROLE) > 
<!ELEMENT USERNAME (#PCDATA) > 
<!ELEMENT ROLE (#PCDATA) > 


<!-- TARGETING, FILTERING, SORTING CRITERIA --> 
SUMMARY (PARAM LIST, DETAILS?) > 
! PARAM LIST (PARAM+) > 
<!ELEMENT PARAM (KEY, VALUE) > 
l KEY (#PCDATA)> 
<!ELEMENT VALUE (#PCDATA)> 


<!-- RESULTS --> 

<!ELEMENT RESULTS (VULN_LIST)> 

<!ELEMENT VULN LIST (VULN+) > 

<! ELEM E?, 


ENT VULN (RANK, OID, TITLE, SEVERITY, TYPE, FIRST FOUND DATE? 
DETECTIONS?, CVSS BASE?, CVSS TEMPORAL?, 

TOTAL HOSTS AFFECTED?, PERCENT HOSTS AFFECTED?)> 

<!ELEMENT RANK (#PCDATA) > 

<!ELEMENT QID (#PCDATA) > 

<!ELEMENT TITLE (#PCDATA) > 

<!ELEMENT SEVERITY (#PCDATA) > 
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< 
< 
< 
< 
< 
< 
< 


Q 


F 


MENT TYPE (#PCDAT 


F 


TA) > 


EM 


ENT FIRST FOUND DATE (#PCDATA) > 


EM 


E 


pT 


ENT DETECTIONS 


(#PCDATA) > 


EM 


ENT CVSS BASE (#PCDATA) > 


EM 


ENT CVSS TEMPORAL (#PCDATA) > 


EM 


ENT TOTAL HOSTS AFFECTED (#PCDATA) > 


L 


EM 


ENT PERCENT HOSTS AFFECTED (#PCDATA) > 
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XPaths for Most Prevalent Vulnerabilities Report 


XPath element specifications / notes 
/MOST_PREVALENT_VULNS_SCORECARD 

(ERROR | (HEADER, SUMMARY, RESULTS)) 
/MOST_PREVALENT_VULNS_SCORECARD/ERROR  (#PCDATA) 

An error message. 

attribute: number An error code, when available 
/MOST_PREVALENT_VULNS_SCORECARD/HEADER 

(NAME, GENERATION_DATETIME, COMPANY_INFO, USER_INFO) 
/MOST_PREVALENT_VULNS_SCORECARD/HEADER/NAME (#PCDATA) 

The report header name is “Most Prevalent Vulnerabilities Report”. 
/MOST_PREVALENT_VULNS_SCORECARD/HEADER/GENERATION_DATETIME (#PCDATA) 

The date and time when the report was generated. 
/MOST_PREVALENT_VULNS_SCORECARD/HEADER/SCORECARD_TYPE (#PCDATA) 

The scorecard type. 
/MOST_PREVALENT_VULNS_SCORECARD/HEADER/COMPANY_INFO 

(NAME, ADDRESS, CITY, STATE, COUNTRY, ZIP_CODE) 

The user’s company name and address, as defined in the user’s account. 
/MOST_PREVALENT_VULNS_SCORECARD/HEADER/USER_INFO (NAME, USERNAME, ROLE) 
/MOST_PREVALENT_VULNS_SCORECARD/HEADER/USER_INFO/NAME (#PCDATA) 

The name of the user who generated the scorecard. 
/MOST_PREVALENT_VULNS_SCORECARD/HEADER/USER_INFO/USERNAME (#PCDATA) 

The user login ID of the user who generated the scorecard. 
/MOST_PREVALENT_VULNS_SCORECARD/HEADER/USER_INFO/ROLE (#PCDATA) 

The user role assigned to the user who generated the scorecard: Manager, 

Unit Manager, Scanner or Reader. 
/MOST_PREVALENT_VULNS_SCORECARD/SUMMARY (PARAM_LIST) 
/MOST_PREVALENT_VULNS_SCORECARD/SUMMARY/PARAM_LIST (PARAM+) 
/MOST_PREVALENT_VULNS_SCORECARD/SUMMARY/PARAM_LIST/PARAM (KEY, VALUE) 
/MOST_PREVALENT_VULNS_SCORECARD/SUMMARY/PARAM_LIST/PARAM/KEY (#PCDATA) 

A scorecard parameter name in the report source settings. 
/MOST_PREVALENT_VULNS_SCORECARD/SUMMARY/PARAM_LIST/PARAM/VALUE (#PCDATA) 

A scorecard parameter value in the report source settings. 
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element specifications / notes 


/MOST_PREVALENT 


[ VULNS. SCORECARD/RESULTS (VULN_LIST) 


/MOST_PREVALENT 


T VULNS. SCORECARD/RESULTS/VULN LIST (VULN+) 


/MOST_PREVALENT 


[T_VULNS_SCORECARD/RESULTS/VULN 


(ANETTE SEVERA ADE IRU 
CVSS_BASE?, CVSS_TEMPORAL?, TOTAL_ 
PERCENT_HOSTS_AFFECTED?) 


F FOUND DATE?, DETECTIONS?, 
HOSTS AFFECTED?, 


/MOST_PREVALENT_VULNS_SCORECARD/RESULTS/VULN/RANK (#PCDATA) 

The rank of the vulnerability. The vulnerability that was detected on the 

largest number of hosts is listed as #1. 
/MOST_PREVALENT_VULNS_SCORECARD/RESULTS/VULN/QID (#PCDATA) 

The QID assigned to the vulnerability. 
/MOST_PREVALENT_VULNS_SCORECARD/RESULTS/VULN/TITLE (#PCDATA) 

The vulnerability title. 
/MOST_PREVALENT_VULNS_SCORECARD/RESULTS/VULN/SEVERITY (#PCDATA) 

The severity level assigned to the vulnerability. 
/MOST_PREVALENT_VULNS_SCORECARD/RESULTS/VULN/TYPE (#PCDATA) 

The vulnerability type. 
/MOST_PREVALENT_VULNS_SCORECARD/RESULTS/VULN/FIRST_FOUND_DATE (#PCDATA) 

The date and time the vulnerability was first detected. 
/MOST_PREVALENT_VULNS_SCORECARD/RESULTS/VULN/DETECTIONS (#PCDATA) 

The total number of times the vulnerability was detected. 
/MOST_PREVALENT_VULNS_SCORECARD/RESULTS/VULN/CVSS_BASE (#PCDATA) 

The CVSS base score for the vulnerability. This is displayed only when the 

CVSS Scoring feature is enabled for the subscription. 
/MOST_PREVALENT_VULNS_SCORECARD/RESULTS/VULN/CVSS_TEMPORAL (#PCDATA) 

The CVSS temporal score for the vulnerability. This is displayed only when 

the CVSS Scoring feature is enabled for the subscription. 
/MOST_PREVALENT_VULNS_SCORECARD/RESULTS/VULN/TOTAL_HOSTS_AFFECTED (#PCDATA) 

The number of hosts that are currently affected by the vulnerability. 
/MOST_PREVALENT_VULNS_SCORECARD/RESULTS/VULN/PERCENT_HOSTS_AFFECTED (#PCDATA) 


The percentage of hosts that are currently affected by the vulnerability. 
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<platform API server>/api/2.0/fo/report/scorecard/ 


DTD for Most Vulnerable Hosts Report 


<platform API server>/most. vulnerable hosts scorecard.dtd 


A recent DTD is below. 
<?xml version="1.0" encoding="UTF-8"?> 
<!-- QUALYS MOST VULNERABLE HOSTS SCORECARD DTD --> 
<!ELEMENT MOST VULNERABLE HOSTS SCORECARD (ERROR | (HEADER, SUMMARY, 
RESULTS) ) > 
<!ELEMENT ERROR (#PCDATA) > 
<!ATTLIST ERROR number CDATA #IMPLIED> 
<!-- GENERIC HEADER --> 
<!ELEMENT HEADER (NAME, GENERATION DATETIME, COMPANY INFO, USER INFO) > 
<!ELEMENT NAME (#PCDATA) > 
<!ELEMENT GENERATION DATETIME (#PCDATA) > 
<!ELEMENT SCORECARD TYPE (#PCDATA) > 
<!ELEMENT COMPANY INFO (NAME, ADDRESS, CITY, STATE, COUNTRY, ZIP CODE) > 
<!ELEMENT ADDRESS (#PCDATA) > 
<!ELEMENT CITY (#PCDATA) > 
<!ELEMENT STATE (#PCDATA) > 
<!ELEMENT COUNTRY (#PCDATA) > 
<!ELEMENT ZIP CODE (#PCDATA) > 
<!ELEMENT USER INFO (NAME, USERNAME, ROLE) > 
<!ELEMENT USERNAME (#PCDATA) > 
<!ELEMENT ROLE (#PCDATA) > 
<!-- TARGETING, FILTERING, SORTING CRITERIA --> 
<!ELEMENT SUMMARY (PARAM LIST, DETAILS?) > 
<!ELEMENT PARAM LIST (PARAM+) > 
<!ELEMENT PARAM (KEY, VALUE)> 
<!ELEMENT KEY (#PCDATA) > 
<!ELEMENT VALUE (#PCDATA) > 
<!-- RESULTS --> 
<!ELEMENT RESULTS (HOST LIST) > 
<!ELEMENT HOST LIST (HOST+) > 
<!ELEMENT HOST (RANK, IP, DNS?, NETBIOS?, LAST SCAN DATE?, 
NUM SEV 5, NUM SEV 4, BUSINESS RISK, SECURITY RISK, 
ASSET GROUPS?) > 
<!ELEMENT RANK (#PCDATA) > 
<!ELEMENT IP (#PCDATA) > 
<!ELEMENT DNS (#PCDATA) > 
<!ELEMENT NETBIOS (#PCDATA) > 
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<!ELEMEN 


Gualys API (VM, PC) XML/DTD Reference 
Chapter 7 - VM Scorecard Reports XML 


T LAST SCAN DATE (#PCDATA) > 
T NUM SEV 5 (#PCDATA) > 

T NUM SEV 4 (#PCDATA) > 

T BUSINESS RISK (#PCDATA) > 
T SECURITY RISK (#PCDATA) > 
T ASSET GROUPS (#PCDATA) > 


XPaths for Most Vulnerable Hosts Report 


XPath 


element specifications / notes 


/MOST_VULNERABLE_HOSTS_ 


SCORECARD 
(ERROR | (HEADER, SUMMARY, RESULTS)) 


/MOST_VULNERABLE_HOSTS_ 


SCORECARD/ERROR (#PCDATA) 


An error message. 


at 


tribute: number 


An error code, when available 


/MOST_VULNERABLE_HOSTS_ 


SCORECARD/HEADER 
(NAME, GENERATION_DATETIME, COMPANY_INFO, USER_INFO) 


/MOST. VULNERABLE HOSTS. 


SCORECARD/HEADER/NAME (#PCDATA) 


The report header name is “Most Vulnerable Hosts Report”. 


/MOST_VULNERABLE_HOSTS_ 


SCORECARD/HEADER/GENERATION_DATETIME (#PCDATA) 


/MOST_VULNERABLE_HOSTS_ 


SCORECARD/HEADER/SCORECARD_TYPE (#PCDATA) 


The scorecard type. 


H 

The date and time when the report was generated. 
H 
a 


/MOST_VULNERABLE_HOSTS_ 


SCORECARD/HEADER/COMPANY_INFO 
(NAME, ADDRESS, CITY, STATE, COUNTRY, ZIP_CODE) 


The user's company name and address, as defined in the user's account. 


/MOST_VULNERABLE_HOSTS_ 


SCORECARD/HEADER/USER_INFO (NAME, USERNAME, ROLE) 


/MOST_VULNERABLE_HOSTS_ 


SCORECARD/HEADER/USER_INFO/NAME (#PCDATA) 


The name of the user who generated the scorecard. 


mi 


/MOST_VULNERABLE_HOSTS_ 


SCORECARD/HEADER/USER_INFO/USERNAME (#PCDATA) 


The user login ID of the user who generated the scorecard. 


/MOST_VULNERABLE_HOSTS_ 


SCORECARD/HEADER/USER_INFO/ROLE (#PCDATA) 


The user role assigned to the user who generated the scorecard: Manager, 
Unit Manager, Scanner or Reader. 


MOST_VULNERABLE_HOSTS_ 


SCORECARD/SUMMARY (PARAM_LIST) 


MOST_VULNERABLE_HOSTS_ 


SCORECARD/SUMMARY/PARAM LIST (PARAM+) 


MOST VULNERABLE HOSTS. 


SCORECARD/SUMMARY/PARAM LIST/PARAM (KEY, VALUE) 


MOST VULNERABLE HOSTS. 


SCORECARD/SUMMARY/PARAM LIST/PARAM/KEY (#PCDATA) 


A scorecard parameter name in the report source settings. 


/MOST_VULNERABLE_HOSTS_ 


SCORECARD/SUMMARY/PARAM_LIST/PARAM/VALUE (#PCDATA) 


A scorecard parameter value in the report source settings. 


/MOST_VULNERABLE_HOSTS_ 


SCORECARD/RESULTS (HOST_LIST) 


/MOST_VULNERABLE_HOSTS_ 


SCORECARD/HOST_LIST (HOST+) 
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XPath element specifications / notes 
/MOST_VULNERABLE_HOSTS_SCORECARD/HOST 


(RANK, IP, DNS?, NETBIOS?, LAST_SCAN_DATE?, NUM_SEV_5, NUM_SEV_4, 
BUSINESS_RISK, SECURITY_RISK, ASSET_GROUPS?) 


/MOST_VULNERABLE_HOSTS_SCORECARD/HOST/RANK (#PCDATA) 


The rank for the host. The host with the highest number of vulnerabilities 
with severity levels 4 and 5 is listed as #1. 


/MOST_VULNERABLE_HOSTS_SCORECARD/HOST/IP (#PCDATA) 
The IP address for the host. 
/MOST_VULNERABLE_HOSTS_SCORECARD/HOST/DNS (#PCDATA) 
The DNS hostname. 
/MOST_VULNERABLE_HOSTS_SCORECARD/HOST/NETBIOS (#PCDATA) 
The NetBIOS hostname. 
/MOST_VULNERABLE_HOSTS_SCORECARD/HOST/LAST_SCAN_DAT 


mi 


(#PCDATA) 
The date and time the host was last scanned for vulnerabilities. 
/MOST_VULNERABLE_HOSTS_SCORECARD/HOST/NUM_SEV_5 (#PC DATA) 


The current number of severity 5 vulnerabilities detected on the host. 
/MOST_VULNERABLE_HOSTS_SCORECARD/HOST/NUM_SEV_4 (#PCDATA) 

The current number of severity 4 vulnerabilities detected on the host. 
/MOST_VULNERABLE_HOSTS_SCORECARD/HOST/BUSINESS_RISK (#PCDATA) 


[he business risk value. See “Business Risk” in the online help for 
information. 


If the host belongs to one asset group in the report, the business risk value 
for that asset group is displayed. If the host belongs to multiple asset 
groups in the report, the highest business risk value across the asset groups 
is displayed. 
/MOST_VULNERABLE_HOSTS_SCORECARD/HOST/SECURITY_RISK (#PCDATA) 


The highest severity level across the vulnerabilities and potential 
vulnerabilities detected on the host. 


/MOST_VULNERABLE_HOSTS_SCORECARD/HOST/ASSET_GROUPS (#PCDATA) 
A list of asset groups that the host belongs to. 
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Patch Scorecard Report 


API used 


<platform API server>/api/2.0/fo/report/scorecard/ 


DTD for Patch Scorecard Report 
<platform API server>/patch_scorecard.dtd 


A recent DTD is below. 


<?xml version="1.0" encoding="UTF-8"?> 
<!-- QUALYS PATCH REPORT SCORECARD DTD --> 


<!ELEMENT PATCH REPORT SCORECARD (ERROR | (HEADER, SUMMARY, RESULTS) )> 
<!ELEMENT ERROR (#PCDATA) > 
<!ATTLIST ERROR number CDATA #IMPLIED> 


<!-- GENERIC HEADER --> 
i HEADER (NAME, GENERATION DATETIME, COMPANY INFO, USER INFO) > 

<!ELEMENT NAME (#PCDATA) > 

<!ELEMENT GENERATION DATETIME (#PCDATA) > 


<!ELEMENT COMPANY INFO (NAME, ADDRESS, CITY, STATE, COUNTRY, ZIP CODE) > 
<!ELEMENT ADDRESS (#PCDATA) > 

<!ELEMENT CITY (#PCDATA) > 
<!ELEMENT STATE (#PCDATA) > 
<!ELEMENT COUNTRY (#PCDATA) > 
<!ELEMENT ZIP CODE (#PCDATA) > 


<!ELEMENT USER INFO (NAME, USERNAME, ROLE) > 
<!ELEMENT USERNAME (#PCDATA) > 
<!ELEMENT ROLE (#PCDATA) > 


<!-- TARGETING, FILTERING, SORTING CRITERIA --> 
SUMMARY (PARAM LIST, DETAILS?) > 

<!ELEMENT PARAM LIST (PARAM+) > 

<!ELEMENT PARAM (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 

<!ELEMENT VALUE (#PCDATA) > 


<!-- SUMMARY DETAILS --> 

<!ELEMENT DETAILS (ASSET GROUP LIST) > 

<!ELEMENT ASSET GROUP LIST (ASSET GROUP*) > 

<!ELEMENT ASSET GROUP (TITLE, (STATS | DETECTION LIST) )> 
<!ELEMENT STATS (NUM HOSTS?, SCANNED HOSTS?, MISSING?)> 
<!ELEMENT NUM HOSTS (#PCDATA) > 

<!ELEMENT SCANNED HOSTS (#PCDATA) > 

<!ELEMENT MISSING (ONE OR MORE PATCHES?, SOFTWARE 1?, SOFTWARE 2?) > 
<!ELEMENT ONE OR MORE PATCHES (PERCENT, TOTAL HOSTS) > 
<!ELEMENT SOFTWARE 1 (PERCENT, TOTAL HOSTS, QID?)> 
<!ELEMENT SOFTWARE 2 (PERCENT, TOTAL HOSTS, QID?)> 
<!ELEMENT PERCENT (#PCDATA) > 
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<!ELEMENT TOTAL HOSTS 


<!ELEMENT OID 


<!-- RESULTS --> 
ULTS 


<!E E ENT RES 


( 


<!ELEMENT DET 


PCDATA) > 


(A 


ECTION 
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(t PCDATA) > 


SSET GROUP LIST) > 


IST (DET 


[TECTION* ) > 


<!ELEMENT DET 


<!ELEMENT H 
<!ELEMENT I 
<!ELEMENT DNS 
<!ELEMENT N 
<!ELEMENT OS 


D 


ECTION 


T (IP, 


(#PCDAI 
(#PC 

ETBIOS 

(#PCDAI 


<!ELEMENT OWN 


ER 


( 


( 


#PC 


<!ELEMENT VULN (QID, 
<!ELEMENT VENDOR REF 
<!ELEMENT TITLE (#PC 


DNS?, NET 


TA) > 
DATA) > 


PCDATA) > 


TA) > 


DATA) > 


(HOST, VULN) > 


[BIOS?, OS?, OWNER?) > 


VENDOR_REF?, TITLE) > 


DATA) > 


PCDATA) > 


XPaths for Patch Scorecard Report 


XPath 


element specifications / notes 


/PATCH_REPORT_SCORECARD 


(ERROR | (HEADER, SUMMARY, RESULTS)) 


/PATCH_REPORT_SCORECARD/ERROR 


(#PCDATA) 


An error message. 


attribute: number 


An error code, when available 


/PATCH_REPORT_SCORECARD/HEADER 

(NAME, GENERATION_DATETIME, COMPANY_INFO, USER_INFO) 
/PATCH_REPORT_SCORECARD/HEADER/NAME (#PCDATA) 

The report header name is “Patch Report”. 
/PATCH_REPORT_SCORECARD/HEADER/GENERATION_DATETIME (#PCDATA) 

The date and time when the report was generated. 
/PATCH_REPORT_SCORECARD/HEADER/COMPANY_INFO 

(NAME, ADDRESS, CITY, STATE, COUNTRY, ZIP_CODE) 

The user’s company name and address, as defined in the user’s account. 
/PATCH_REPORT_SCORECARD/HEADER/USER_INFO (NAME, USERNAME, ROLE) 
/PATCH_REPORT_SCORECARD/HEADER/USER_INFO/NAME (#PCDATA) 

The name of the user who generated the scorecard. 
/PATCH_REPORT_SCORECARD/HEADER/USER_INFO/USERNAME (#PCDATA) 

The user login ID of the user who generated the scorecard. 
/PATCH_REPORT_SCORECARD/HEADER/USER_INFO/ROLE (#PCDATA) 


The user role for the user who generated the scorecard: Manager, Unit 


Manager, Scanner or Reader. 
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REEK (68) 


RECA 


RD/S 


MMARY (PARAM_LIST, DETAI 


LS?) 


MEREL GRIS 60) 


REGA 


RD/S 


(PARAM+) 


_REPORT_SCO 


RECA 


RD/S 


MMARY/PARAM_LIST/PARAM 


(KEY, VALUE) 


BRELORMa5 00) 


RECA 


RD/S 


U 
UMMARY/PARAM_LIST 
U 
U 


MMARY/PARAM_LIST/PARAM/KEY 


ecard parameter name 


(#PCDATA) 


in the report source settings. 


/PATC 


MRO RS 66) 


REGA 


RD/S 


UMMARY/PARAM_LIS1 


ecard parameter value in the report source settings. 


[/PARAM/VALUE (#PCDATA) 


REPORT_SCO 


REGA 


RD/S 


UMMARY/DETAILS (ASSET_G 


ROUP LIST) 


REPORT. SCO 


REGA 


RD/S 


RY/DETAI 


ES/ ASS ei G ROU Pal 


ST (ASSET. GROUP”) 


REPORT. SCO 


RECA 


RD/S 


LS/ASSET_GROUP_L 


E, (STATS 


A 
UMMARY/DETAI 
IL 


NENE CIO NAS) 


ST/ASSET_GROU 


P) 


TITLE (4PCDATA) 


REPORT. SCO 


REGA 


RD/S 


UMMARY/DETAI 


LS/ASSET. GROUP L 


title. 


ST/ASSET. GROU 


P/ 


/PATC 


KERGUS 00 


REGA 


RD/S 


UMMARY/DETAI 


LS/ASSET_ Oie ili 


ST/ASSET_GROU 


P/S 


HOSTS?, SCANNED_HOSTS? 


, MISSING?) 


/PATC 


REPORT_SCO 


RECA 


NUM_HOSTS (#PCDATA) 


RD/S 


data, followed 
asset group. 


UMMARY/DETAILS/ASSET 


[The number of hosts in 


UPL IL, 


the asset 
in parentheses by th 


grou 
e total number of 


ST/ASSET_GROU 


p for which the 


P/S 


ATS/ 


eis vulnerability scan 
IP addresses in the 


/PATC 


REPORT. SCORECARD/SUMMA 


SCANNED_HOSTS (#PCDATA) 


"he numbe 


RY/DETAILS/ASSET. GRO 


of hosts in 


Wheat 


the asset 


grou 


IST/ASSET_GROU 


p for which the 


P/STATS/ 


eis vulnerability scan 


/PATC 


_REPORT_SCORECARD/S 


UMMARY/DETAILS/MISSING 
E_OR_MORE_PATCHES?, SOFTWARE_1?, SOFTWARE_2?) 


/PATC 
MISSI 


G/ONE_OR_MORE_PATCI 


_REPORT_SCORECARD/S 


RY/ASSE'I 


TOTAL HOSTS) 


F GROUP LIST/ASSET. GROUP/S 


A 


S/DETAILS/ 


/PATC 


_REPORT_SCORECARD/S 
MISSING/ONE_OR_MORE_PATCI 


A 
(PERCENT, 
A 


one o 


RY/ASSET_GROU 
RCENT (#PCDATA) 


[he percentage of scanned hosts in the asse 
f the user-specified patches. 


P_LIST/ASSET_GROUP/S 


A 


t grou 


S/DETAILS/ 


p that are missing at least 


/PATCH_REPORT_SCORECARD/S 


MISSING/ONE_OR_MORE_PA’ 


UMMARY/ASSET_GROU 


CH 


ES/TOTAL_HOS 


one 0 


The number of 
f the user-specified patches. 


TS (4PCDATA) 


scanned hos 


P_LIST/ASSET_GROUP/STAI 


FS/DETAILS/ 


tsinthe asset group that are missing at least 


/PATC 


_REPORT_SCORECARD/S 
TWARE_1/ (PERCENT, TOTAL_HOSTS, 0 


UMMARY/ASSET 
D?) 


F GROUP LIST/ASSE 


_GROUP/STA! 


S/] 


DE 


'AILS/MISSING/SOF 


/PATC 


_REPORT_SCORECARD/S 
TWARE 1/PERCENT (#PCDATA) 


UMMARY/ASSE'I 


F GROUP LIST/ASSE 


The percentage of scanned hosts in the asset g 


first user-speci 


fied software QID. 


_GROUP/STA! 


S/1 


DE 


'AILS/MISSING/SOF 


oup that are missing the 
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XPath element specifications / notes 


/PATCH REPORT. SCORECARD/SUMMARY/ASSET. GROUP LIST/ASSET. GROUP/STATS/DETAILS/MISSING/SOF 
TWARE 1/TOTAL HOSTS (#PCDATA) 


The number of scanned hosts in the asset group that are missing the first 
user-specified software OID. 


/PATCH. REPORT. SCORECARD/SUMMARY/ASSET. GROUP LIST/ASSET. GROUP/STATS/DETAILS/MISSING/SOF 
TWARE_1/QID (#PCDATA) 


The first user-specified software QID. 


/PATCH_REPORT_SCORECARD/SUMMARY/ASSET_GROUP_LIST/ASSET_GROUP/STATS/DETAILS/MISSING/SOF 
TWARE_2 (PERCENT, TOTAL_HOSTS, QID?) 


/PATCH_REPORT_SCORECARD/SUMMARY/ASSET_GROUP_LIST/ASSET_GROUP/STATS/DETAILS/MISSING/SOF 
TWARE_2/ PERCENT (#PCDATA) 


he percentage of scanned hosts in the asset group that are missing the 
second user-specified software QID. 


/PATCH_REPORT_SCORECARD/SUMMARY/ASSET_GROUP_LIST/ASSET_GROUP/STATS/DETAILS/MISSING/SOF 
TWARE_2/TOTAL_HOSTS (#PCDATA) 


The number of scanned hosts in the asset group that are missing the 
second user-specified software QID. 


/PATCH_REPORT_SCORECARD/SUMMARY/ASSET_GROUP_LIST/ASSET_GROUP/STATS/DETAILS/MISSING/SOF 
TWARE_2/QID (#PCDATA) 


The second user-specified software QID. 
/PATCH_REPORT_SCORECARD/RESULTS (ASSET_GROUP_LIST) 
/PATCH_REPORT_SCORECARD/RESULTS/ASSET_GROUP_LIST/ASS ROUP LIST (ASSET_GROUP”) 


/PATCH REPORT. SCORECARD/RESULTS/ASSET. GROUP LIST/ASSET. GROUP (TITLE, (STATS | 
DETECTION LIST)) 


/PATCH. REPORT. SCORECARD/RESULTS/ASSET. GROUP. LIST/ASS 


m 
a) 


E 


mi 
tri 


trj 
Q 


ROUP/TITLE (#PCDATA) 
An asset group title. 
/PATCH. REPORT. SCORECARD/RESULTS/ASSET. GROUP LIST/ASSET. GROUP/STATS 
(NUM. HOSTS?, SCANNED_HOSTS?, MISSING?) 
/PATCH. REPORT. SCORECARD/RESULTS/ASSET. GROUP LIST/ASSET. GROUP/STATS/NUM HOSTS (#PCDATA) 


The number of hosts in the asset group for which there is vulnerability scan 
data, followed in parentheses by the total number of IP addresses in the 
asset group. 


/PATCH. REPORT. SCORECARD/RESULTS/ASSET. GROUP LIST/ASSET. GROUP/SCANNED HOSTS (#PCDATA) 


The number of hosts in the asset group for which there is vulnerability scan 


m 


mi 


data. 
/PATCH. REPORT. SCORECARD/RESULTS/DETECTION LIST (DETECTION"*) 
/PATCH. REPORT. SCORECARD/RESULTS/DETECTION. LIST/DETECTION (HOST, MULEN) 
/PATCH. REPORT. SCORECARD/RESULTS/DETECTION. LIST/DETECTION/HOST 

(IP, DNS?, NETBIOS?, OS?, OWNER?) 


/PATCH_REPORT_SCORECARD/RESULTS/DETECTION_LIST/DETECTION/HOST/IP (#PCDATA) 
The IP address for a host missing required patches or software. 
/PATCH_REPORT_SCORECARD/RESULTS/DETECTION_LIST/DETECTION/HOST/DNS (#PCDATA) 


The registered DNS hostname for a host missing required patches or 
software. 
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XPath element specifications / notes 


PATCH. REPORT. SCORECARD/RESULTS/DETECTION LIST/DETECTION/HOST/NETBIOS (#PCDATA) 


The NetBIOS hostname for a host missing reguired patches or software. 


PATCH. REPORT. SCORECARD/RESULTS/DETECTION. LIST/DETECTION/HOST/OS (#PCDATA) 


The operating system detected on a host missing reguired patches or 
ftware. 


Mm 
o 


PATCH_REPORT_SCORECARD/RESULTS/DETECTION_LIST/DETECTION/HOST/OWNER (#PCDATA) 


e owner of the host missing required patches or software. 


PATCH_REPORT_SCORECARD/RESULTS/DETECTION_LIST/DETECTION/VULN 


PATCH_REPORT_SCORECARD/RESULTS/DETECTION_LIST/DETECTION/VULN/QID 
A vulnerability QID for a missing patch or software. 
PATCH_REPORT_SCORECARD/RESULTS/DETECTION_LIST/DETECTION/VULN/VENDOR_REF (#PCDATA) 


A vendor reference for the vulnerability, such as a security bulletin. 


PATCH_REPORT_SCORECARD/RESULTS/DETECTION_LIST/DETECTION/VULN/TITLE (#PCDATA) 


The title for the vulnerability for a missing patch or software. 


279 


Gualys API (VM, PC) XML/DTD Reference 
Chapter 8 - VM Remediation Tickets XML 


Chapter 8 - VM Remediation Tickets XML 


TT 


This section describes the XML output returned from VM Remediation Tickets API 
reguests. 


Ticket List Output 
Ticket Edit Output 


Ticket Delete Output 
Deleted Ticket List Output 


Get Ticket Information Report 


Ignore Vulnerability Output 


Ticket List Output 


API used 
<platform API server>/msp/ticket_list.php 


DTD for Ticket List Output 
<platform API server>/ticket_list_output.dtd 


A recent DTD is below. 
<!-- QUALYS TICKET LIST OUTPUT DTD --> 
<!ELEMENT REMEDIATION TICKETS (ERROR | (HEADER, (TICKET LIST, 


TRUNCATION?) ?)) > 


<!-- Ticket Report error --> 
<!ELEMENT ERROR (#PCDATA) > 
<!ATTLIST ERROR number CDATA #IMPLIED> 


<!-- Truncation warning --> 
<!ELEMENT TRUNCATION (#PCDATA) > 
<!ATTLIST TRUNCATION last CDATA #IMPLII 


El 


D> 


<!-- Information about the Ticket Report --> 

<!ELEMENT HEADER (USER LOGIN, COMPANY, DATETIME, WHERE) > 
<!ELEMENT USER LOGIN (#PCDATA) > 

<!ELEMENT COMPANY (#PCDATA) > 

<!ELEMENT DATETIME (#PCDATA) > 


<!-- Search criteria --> 
<!ELEMENT WHERE ( (MODIFIED SINCE DATETIME?, UNMODIFIED SINCE DATETIME?, 
TICKET NUMBERS?, SINCE TICKET NUMBER?, 


UNTIL TICKET NUMBER?, STATES?, IPS?, ASSET GROUPS?, 
DNS CONTAINS?, NETBIOS CONTAINS?, VULN SEVERITIES?, 
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POTENTIAL VULN SEVERITIES?, OVERDUE?, INVALID?, 
TICKET ASSIGNEE?, OIDS?, SHOW VULN DETAILS?, 


r 
VULN TITLE CONTAINS?, VULN DETAILS CONTAINS?, 
VENDOR REF CONTAINS?, NETWORK ID?, HOST ID?, 
SHOW HOST ID?) )+) > 
<!ELEMENT MODIFIED SINCE DATETIME (#PCDATA) > 
<!ELEMENT UNMODIFIED SINCE DATETIME (4PCDATA) > 
<!ELEMENT TICKET NUMBERS (#PCDATA) > 
<!ELEMENT SINCE TICKET NUMBER (#PCDATA) > 
<!ELEMENT UNTIL TICKET NUMBER (#PCDATA) > 
<!ELEMENT STATES (#PCDATA) > 
<!ELEMENT IPS (#PCDATA) > 
<!ELEMENT ASSET GROUPS (#PCDATA) > 
<!ELEMENT DNS CONTAINS (#PCDATA) > 
<!ELEMENT NETBIOS CONTAINS (#PCDATA) > 
<!ELEMENT VULN SEVERITIES (#PCDATA) > 
<!ELEMENT POTENTIAL VULN SEVERITIES (#PCDATA) > 
<!ELEMENT OVERDUE (#PCDATA) > 
<!ELEMENT INVALID (#PCDATA) > 
<!ELEMENT TICKET ASSIGNEE (#PCDATA) > 
<!ELEMENT QIDS (#PCDATA) > 
<!ELEMENT SHOW VULN DETAILS (#PCDATA) > 
<!ELEMENT VULN TITLE CONTAINS (#PCDATA) > 
<!ELEMENT VULN DETAILS CONTAINS (#PCDATA) > 
<!ELEMENT VENDOR_REF CONTAINS (#PCDATA) > 
<!ELEMENT NETWORK ID (#PCDATA) > 
<!ELEMENT SHOW HOST ID (#PCDATA) > 


<!-- AVOID COLISIONS BETWEEN LISTS ABOVE AND B 
<!ELEMENT TICKET LIST (TICKET+) > 
<!ELEMENT TICKET (NUMBER, CREATION DATETIME, DUE DATETIME, 


T 


OW!--> 


CURRENT STATE, CURRENT STATUS?, INVALID?, ASSIGNEE, 
DETECTION, STATS?, HISTORY LIST?, VULNINFO?, DETAILS?) > 
UMBER (#PCDATA) > 


REATION DATETIME (#PCDATA) > 


UE DATETIME (#PCDATA) > 


SSIGNEE (NAME EMAIL, LOGIN)> 


<!ELEMENT NAME (#PCDATA 


) 
<!ELEMENT EMAIL (#PCDATA 
<!ELEMENT LOGIN (#PCDATA 


<!-- Target Asset --> 


<!ELEMENT DETECTION (IP, HOST ID?, DNSNAME?, NBHNAMI 


Fl 


2, PORT?, SERVICE?, 


<!ELEMENT 


FODN?, SSL?, INSTANCE?) > 
P (#PCDATA) > 


H 


<!ELEMENT HOST ID (#PCDATA) > 


<!-- DNS Hostname --> 


<!ELEMENT DNSNAME (#PCDATA) > 


tBios Hostname --> 


<!ELEMENT NBHNAME (#PCDATA) > 


P Port of the vuln --> 
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r 


E? 


, TIMES NOT FOUND, 


r 


IM 


E?) > 


<!E ENT PORT (#PCDATA) > 

<!-- service name on the host--> 

<!E ENT SERVICE (#PCDATA) > 

<l== Protocol -=-=> 

<!E ENT PROTOCOL (#PCDATA) > 

<!-- FODN --> 

<!E ENT FODN (#PCDATA) > 

<!-- was this found using SSL --> 

<!E ENT SSL (#PCDATA) > 

<!-- Ticket Statistics --> 

<!E ENT INSTANCE (#PCDATA) > 

<!E ENT STATS (FIRST FOUND DATETIME, LAST FOUND DATETIME 
LAST SCAN DATETIME, TIMES FOUND 
AST OPEN DATETIME, LAST RESOLVED DATETI 
AST CLOSED DATETIME?, LAST IGNORED DATET 

<!E ENT FIRST FOUND DATETIME (#PCDATA) > 

<!E ENT LAST FOUND DATETIME (#PCDATA) > 

<!E ENT LAST SCAN DATETIME (#PCDATA) > 

<!E ENT TIMES FOUND (#PCDATA) > 

<!E ENT TIMES NOT FOUND (#PCDATA) > 

<!E ENT LAST OPEN DATETIME (#PCDATA) > 

<!E ENT LAST RESOLVED DATETIME (#PCDATA) > 

<!E ENT LAST CLOSED DATETIME (#PCDATA) > 

<!E ENT LAST IGNORED DATETIME (#PCDATA) > 

<!-- Ticket History --> 

<!E ENT HISTORY LIST (HISTORY+) > 

<!E ENT HISTORY (DATETIME, ACTOR, 

STATE?, ADDED ASSIGNEE?, REMOVED ASSIGN 
SCAN?, RULE?, COMMENT?) > 

<!E ENT ACTOR (#PCDATA) > 

<!-- Ticket state/status --> 

<!E ENT STATE (OLD?, NEW) > 

<!E ENT OLD (#PCDATA) > 

<!E ENT NEW (#PCDATA) > 

<!-- added assignee --> 

<!E ENT ADDED ASSIGNEE (NAME, EMAIL, LOGIN) > 

<!-- removed assignee --> 

<!E ENT REMOVED ASSIGNEE (NAME, EMAIL, LOGIN) > 

<!-- Scan Report that triggered ticket policy --> 

<!E ENT SCAN (REF, DATETIME?) > 

<!E ENT REF (#PCDATA) > 

<!-- Ticket Creation Rule (Policy) --> 

<!E ENT RULE (#PCDATA) > 

<!-- Ticket Comment --> 

<!E ENT COMMENT (#PCDATA) > 

<!-- Ticket Vulnerability Information --> 

<!E ENT VULNINFO (TITLE, TYPE, QID, SEVERITY, STANDARD S 
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CVE ID LIST?, VENDOR REF LIST?) > 


siss 


Severity is Oualys severity level 1 to 5 


(possibly customized), 


whereas standard-severity is the original Oualys severity level 


13209 
of the users in the subscription). 
--> 
<!ELEMENT TITLE ( 
<!-- VULN|POSS --> 
<!ELEMENT TYPE (#PCDATA) > 

<!ELEMENT QID (#PCDATA) > 

<!ELEMENT SEVERITY (#PCDATA) > 
<!ELEMENT STANDARD SEVERITY (#PCDATA) > 


PCDATA) > 


<!-- E ID (no URI) --> 

<!ELEMENT CVE ID LIST (CVI 
<!ELEMENT CVE ID (#PCDATA) 
<!-- Ven Referenc (no URI) 
<!ELEMENT VENDOR_REF LIST 
<!ELEMENT VENDOR_REF (#PCDATA) > 


El 


D+) > 


1 
> 


--> 


eles 
<!ELE 


Ticket Vulnerability Details --> 


ENT DETAILS 


(which may differ if the vuln has been customized by one 


(VENDOR REF+) > 


(DIAGNOSIS?, CONSEQUENCE?, SOLUTION?, CORRELATION ?, RESULT?) > 


<!ELE 
<!ELE 
<!ELE 


ENT 
ENT 
ENT 


DIAGNOSIS (#PCDATA) > 
CONSEQUENCE (#PCDATA) > 
SOLUTION (#PCDATA) > 


<!ELE 
<!ELE 
<!ELE 
<!ELE 
<!ELE 
<!ELE 
<!ELE 
<!ELE 


CORRELATION (EXP 
PLOITABILITY (EXP 
EXPLT SRC (SRC NAME, 
NAME (#PCDATA) > 
EXPLT LIST (EXPLT) +> 
EXPLT (REF, DESC, LINK?) > 
PCDATA) > 

PCDATA) > 


T SRC) +> 


<!ELE 
<!ELE 
<!ELE 
<!ELE 


W SRC) +> 
E, MW LIST) > 
INFO) +> 
ID, MW TYPE?, 
W LINK?) > 


<!ELE 
<!ELE 
<!ELE 
<!ELE 
<!ELE 
<!ELE 
<!ELE 


(#PCDATA) > 
RATING (#PCDATA) > 
LINK (#PCDATA) > 
ENT RESULT (#PCDATA) > 


H 


<L== 


If the 
values ar 
by new line 


Na 


separated by tab 
nyn 
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MW_PLATFORM?, 


"format" attribute is set to 


OITABILITY?,MALWARE ? 


EJ 
v 
V 


EXPLT LIST) > 


MW ALIAS?, MW RATING?, 


"table", then column 


and rows are terminated 
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--> 
<!ATTLIST RESULT format CDATA #IMPLIED> 
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XPaths for Ticket List Output 


Ticket List - Header Information 


XPath element specifications / notes 
/REMEDIATION. TICKETS (ERROR | (HEADER, (TICKET. LIST, TRUNCATION?)?)) 
/REMEDIATION_TICKETS/ERROR (#PCDATA) 
attribute: number number is implied and if present, is an error code 
/REMEDIATION. TICKETS/TRUNCATION (#PCDATA) 
attribute: last last is implied and if present, is the last ticket number included in the ticket list 


report. The ticket list is truncated after 1000 records. 

/REMEDIATION. TICKETS/HEADER (USER LOGIN, COMPANY, DATETIME, WHERE) 

/REMEDIATION. TICKETS/HEADER/USER LOGIN (#PCDATA) 

The Oualys user login name for the user that reguested the ticket list report. 
/REMEDIATION, TICKETS/HEADER/COMPANY (#PCDATA) 

The company associated with the Oualys user. 
/REMEDIATION_TICKETS/HEADER/DATETIME — (*PCDATA) 


The date and time when the ticket list report was requested. The date appears in 
YYYY-MM-DDTHH:MM:SSZ format (UTC/GMT) like this: 
“2005-01-10T02:33:112Z”. 


/REMEDIATION_TICKETS/ HEADER/WHERE 


((MODIFIED_SINCE_DATETIME?, UNMODIFIED_SINCE_DATETIME?, 
TICKET_NUMBERS?, SINCE_TICKET_NUMBER?, UNTIL_TICKET_NUMBER?, 
STATES?, IPS?, ASSET_GROUPS?, DNS_CONTAINS?, NETBIOS_CONTAINS?, 
VULN_SEVERITIES?, POTENTIAL_VULN_SEVERITIES?, OVERDUE?, 
INVALID?, TICKET_ASSIGNEE?, QIDS?, SHOW_VULN_DETAILS?, 
VULN_TITLE_CONTAINS?, VULN_DETAILS_CONTAINS?, 
VENDOR_REF_CONTAINS?, HOST_ID?, SHOW_HOST_ID?+) 


Ticket selection parameters that were specified as part of the ticket_list.php 
request. Only the specified parameters appear in the output. Ticket selection 
parameters are described below. 


/REMEDIATION. TICKETS/HEADER/WHERE/MODIFIED SINCE DATETIME (#PCDATA) 


The start date/time of a time window when tickets were modified. The end of the 
time window is the date/time when the API function was run. Only tickets 
modified within this time window are retrieved. 


The start date/time appears in YYYY-MM-DD[THH:MM:SSZ] format 
(UTC/GMT) like “2006-01-01” or “2006-05-25T23:12:00Z”. 


/REMEDIATION_TICKETS/HEADER/WHERE/UNMODIFIED_SINCE_DATETIME (#PCDATA) 


The start date/time of the time window when tickets were not modified. The end 
of the time window is the date /time when the API function was run. Only tickets 
that were not modified within this time window are retrieved. 


The start date/time appears in YYYY-MM-DD[THH:MM:SSZ] format 
(UTC/GMT) like “2006-01-01” or “2006-05-25T23:12:00Z”. 


/REMEDIATION_TICKETS/HEADER/WHERE/TICKET_NUMBERS (#PCDATA) 


One or more ticket numbers and/or ranges. Ticket range start and end is 
separated by a dash (-). 
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XPath element specifications / notes 
/REMEDIATION TICKETS/HEADER/WHERE/SINCE TICKET NUMBER (#PCDATA) 


The lowest ticket number selected. Selected tickets will have numbers greater than 
or egual to the ticket number specified. 


/REMEDIATION. TICKETS/HEADER/WHERE/UNTIL TICKET NUMBER (#PCDATA) 


The highest ticket number selected. Selected tickets will have numbers less than or 
egual to the ticket number specified. 


/REMEDIATION. TICKETS/HEADER/WHERE/STATES (#PCDATA) 


One or more ticket states. Possible values are OPEN (for state/status Open or 
Open/Reopened), RESOLVED (for state Resolved), CLOSED (for state/status 
Closed/Fixed) and IGNORED (for state/status Closed /Ignored). 


/REMEDIATION TICKETS/HEADER/WHERE/IPS (#PCDATA) 

One or more IP addresses and/or ranges. 
/REMEDIATION TICKETS/HEADER/WHERE/ASSET GROUPS (#PCDATA) 

The title of one or more asset groups. 
/REMEDIATION TICKETS/HEADER/WHERE/DNS CONTAINS — (*PCDATA) 

A text string contained within the DNS host name. 
/REMEDIATION TICKETS/HEADER/WHERE/NETBIOS CONTAINS (#PCDATA) 

A text string contained within the NetBIOS host name. 
/REMEDIATION TICKETS/HEADER/WHERE/VULN SEVERITIES (#PCDATA) 

One or more vulnerability severity levels. 
/REMEDIATION. TICKETS/HEADER/WHERE/HOST IDS (#PCDATA) 

A text string with the asset host id. 

/REMEDIATION TICKETS/HEADER/WHERE/POTENTIAL VULN SEVERITIES (#PCDATA) 
One or more potential vulnerability severity levels. 
/REMEDIATION TICKETS/HEADER/WHERE/OVERDUE (#PCDATA) 


When not specified, overdue and non-overdue tickets are selected. The value 1 
indicates that only overdue tickets were reguested. The value 0 indicates that only 
non-overdue tickets were reguested. 


/REMEDIATION. TICKETS/HEADER/WHERE/INVALID (#PCDATA) 


When not specified, both valid and invalid tickets are selected. The value 1 
indicates that only invalid tickets were reguested. The value 0 indicates that only 
valid tickets that were reguested. 


/REMEDIATION_TICKETS/ HEADER/WHERE/TICKET_ASSIGNEE (#PCDATA) 

The user login of an active account. 
/REMEDIATION_TICKETS/HEADER/WHERE/QIDS (#PCDATA) 

One or more Qualys IDs (OIDs). 
/REMEDIATION_TICKETS/HEADER/WHERE/SHOW_VULN_DETAILS (#PCDATA) 


A flag identifying whether vulnerability details are included in the ticket list XML 
output. The value 1 indicates that vulnerability details were requested. The value 
0 indicates that vulnerability details were not requested. 


/REMEDIATION_TICKETS/HEADER/WHERE/VULN_TITLE_ CONTAINS (#PCDATA) 
A text string contained within the vulnerability title. 
/REMEDIATION_TICKETS/HEADER/WHERE/VULN_DETAILS CONTAINS — (*PCDATA) 


A text string contained within vulnerability details. 
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XPath element specifications / notes 
/REMEDIATION TICKETS/HEADER/WHERE/VENDOR REF CONTAINS (#PCDATA) 


A text string contained within a vendor reference for the vulnerability. 
/REMEDIATION. TICKETS/HEADER/WHERE/HOST. ID (#PCDATA) 

The unigue host ID assigned to the asset. 
/REMEDIATION. TICKETS/HEADER/WHERE/SHOW. HOST. ID (#PCDATA) 


A flag identifying whether host ID is included in the ticket list XML output. The 
value 1 indicates that host ID is included. The value 0 indicates that host ID is not 
included. 


Ticket List - General Ticket Information 


XPath element specifications / notes 
/REMEDIATION TICKETS/TICKET LIST (TICKET+) 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET 


(NUMBER, CREATION_DATETIME, DUE_DATETIME, CURRENT_STATE, 
CURRENT_STATUS?, INVALID?, ASSIGNEE, DETECTION, STATS?, 
HISTORY_LIST?, VULNINFO?, DETAILS?) 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET/NUMBER (#PCDATA) 
The number assigned to the ticket by Qualys. 
/REMEDIATION_TICKETS/TICKET_LIST/TICKET/CREATION_DATETIME (#PCDATA) 


The date when the ticket was first created in YYYY-MM-DDTHH:MM:SSZ 
format (UTC/GMT). 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET/DUE_DATETIME (#PCDATA) 


The due date for ticket resolution in YYYY-MM-DDTHH:MM:SSZ 
format (UTC/GMT). 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET/CURRENT_STATE (#PCDATA) 

The current ticket state: OPEN, RESOLVED, or CLOSED. 
/REMEDIATION_TICKETS/TICKET_LIST/TICKET/CURRENT_STATUS (#PCDATA) 
The current ticket status: REOPENED, FIXED, IGNORED. 
/REMEDIATION_TICKETS/TICKET_LIST/TICKET/INVALID (#PCDATA) 


A flag indicating whether the ticket is currently invalid. The value 1 is returned 
when the ticket is invalid. The value 0 is returned when the ticket is valid. 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET/ASSIGNEE (NAME, EMAIL, LOGIN) 
/REMEDIATION. TICKETS/TICKET. LIST/TICKET/ASSIGNEE/NAME (#PCDATA) 


The full name (first and last) of the assignee, as defined in the assignee's Oualys 
user account. 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/ASSIGNEE/EMAIL (#PCDATA) 


The email address of the assignee, as defined in the assignee’s Qualys user 
account. 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/ASSIGNEE/LOGIN (#PCDATA) 
The Oualys user login name for the assignee. 
/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETECTION (#PCDATA) 


See “Ticket List - Host Information” for descriptions of the DETECTION 
sub-elements. 
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XPath element specifications / notes 
/REMEDIATION TICKETS/TICKET LIST/TICKET/STATS (#PCDATA) 


See “Ticket List -Statistics” for descriptions of the STATS sub-elements. 
/REMEDIATION, TICKETS/TICKET LIST/TICKET/HISTORY LIST (#PCDATA) 

See “Ticket List - History” for descriptions of the HISTORY sub-elements. 
/REMEDIATION. TICKETS/TICKET. LIST/TICKET/VULNINFO  (#PCDATA) 


See “Ticket List — Vulnerability Information” for descriptions of the VULNINFO 
sub-elements. 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETAILS (#PCDATA) 


See “Ticket List — Vulnerability Details” for descriptions of the DETAILS 
sub-elements. 


Ticket List - Host Information 


XPath element specifications / notes 
/REMEDIATION_TICKETS/TICKET_LIST/TICKET/DETECTION 


(IP, DNSNAME?, NBHNAME?, PORT?, SERVICE?, PROTOCOL?, 
FODN?, SSL?, INSTANCE?) 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETECTION/IP (#PCDATA) 
The IP address of the host. 
/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETECTION/DNSNAME  (#PCDATA) 

The DNS host name when known. 

/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETECTION/NBHNAME — (#PCDATA) 

The Microsoft Windows NetBIOS host name if appropriate, when known. 
/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETECTION/HOST. ID (#PCDATA) 

The unigue host ID assigned to the asset. 

/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETECTION/PORT (#PCDATA) 

The port number that the vulnerability was detected on. 
/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETECTION/SERVICE (#PCDATA) 

The service that the vulnerability was detected on. 

/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETECTION/PROTOCOL (#PCDATA) 

The protocol that the vulnerability was detected on. 

/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETECTION/FODN (#PCDATA) 

The fully gualified domain name of the host, when known. 
/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETECTION/SSL (#PCDATA) 


A flag indicating whether SSL was present on this host, when known. If SSL was 
present, the SSL element appears with the value TRUE. 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETECTION/INSTANCE (#PCDATA) 


The Oracle DB instance the vulnerability was detected on. 


Ticket List -Statistics 
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XPath element specifications / notes 
/REMEDIATION_TICKETS/TICKET_LIST/TICKET/STATS 


(FIRST. FOUND. DATETIME, LAST. FOUND. DATETIME, 

LAST. SCAN. DATETIME, TIMES. FOUND, TIMES NOT. FOUND, 
LAST. OPEN. DATETIME, LAST. RESOLVED. DATETIME?, 

LAST. CLOSED. DATETIME?, LAST IGNORED. DATETIME?) 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/STATS/FIRST. FOUND DATETIME (#PCDATA) 


The date and time when the vulnerability was first detected on the host, in 
YYYY-MM-DDTHH:MM:SSZ format (UTC/GMT). 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET/STATS/LAST_FOUND_DATETIME (#PCDATA) 


The date and time when the vulnerability was last detected on the host (from the 
most recent scan), in YYYY-MM-DDTHH:MM:SSZ format (UTC/GMT). 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET/STATS/LAST_SCAN_ DATETIME (#PCDATA) 


The date and time of the most recent scan of the host, in 
YYYY-MM-DDTHH:MM:SSZ format (UTC/GMT). 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET/STATS/TIMES FOUND (#PCDATA) 
The total number of times the vulnerability was detected on the host. 
/REMEDIATION. TICKETS/TICKET. LIST/TICKET/STATS/TIMES NOT FOUND (#PCDATA) 


The total number of times the host was scanned and the vulnerability was not 
detected. 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/STATS/LAST OPEN DATETIME (#PCDATA) 


The date of the most recent scan which caused the ticket state to be changed to 
Open, in YYYY-MM-DDTHH:MM:SSZ format (UTC/GMT). 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET/STATS/LAST_RESOLVED_DATETIME (#PCDATA) 


The date of the most recent scan which caused the ticket state to be changed to 
Resolved, in YYYY-MM-DDTHH:MM:SSZ format (UTC/GMT). 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET/STATS/LAST_CLOSED_DATETIME (#PCDATA) 


The date of the most recent scan which caused the ticket state to be changed to 
Closed, in YYYY-MM-DDTHH:MM:SSZ format (UTC/GMT). 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET/STATS/LAST_IGNORED_DATETIME (#PCDATA) 


The most recent date and time when the ticket was marked as Ignored, in 
YYYY-MM-DDTHH:MM:SSZ format (UTC/GMT). 


Ticket List - History 


XPath element specifications / notes 
/REMEDIATION_TICKETS/TICKET_LIST/TICKET/HISTORY_LIST (HISTORY+) 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET/HISTORY_LIST/HISTORY 


(DATETIME, ACTOR, STATE?, ADDED_ASSIGNEE?, REMOVED_ASSIGNEE?, 
SCAN?, RULE?, COMMENT?) 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET/HISTORY_LIST/HISTORY/DATETIME (#PCDATA) 


The date and time of the ticket history event, in YYYY-MM-DDTHH:MM:SSZ 
format (UTC/GMT). 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET/HISTORY_LIST/HISTORY/ACTOR (#PCDATA) 
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XPath element specifications / notes 


The Oualys user login name, identifying the user whose action prompted the 
ticket history event (such as user scan resulting in ticket state/ status change, user 
ticket edit). 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET/HISTORY_LIST/HISTORY/STATE (OLD?, NEW) 

/REMEDIATION_TICKETS/TICKET_LIST/TICKET/HISTORY_LIST/HISTORY/STATE/OLD (#PCDATA) 

The old (previous) state of the ticket. 

/REMEDIATION. TICKETS/TICKET. LIST/TICKET/HISTORY. LIST/HISTORY/STATE/NEW (#PCDATA) 

The new (current) state of the ticket. 

/REMEDIATION_TICKETS/TICKET_LIST/TICKET /HISTORY_LIST / HISTORY / ADDED. ASSIGNEE 
(NAME, EMAIL, LOGIN) 


Qualys user who was added as the ticket assignee. For a complete description of 
the ADDED_ASSIGNEE sub-elements, see the ASSIGNEE description in the 
“Ticket List - General Ticket Information” table. 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/HISTORY. LIST/HISTORY/REMOVED. ASSIGNEE 
(NAME, EMAIL, LOGIN) 


Oualys user who was removed as the ticket assignee. For a complete description 
of the REMOVED. ASSIGNEE sub-elements, see the ASSIGNEE description in the 
“Ticket List - General Ticket Information” table. 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/HISTORY LIST/HISTORY/SCAN (REF, DATETIME?) 
/REMEDIATION. TICKETS/TICKET. LIST/TICKET/HISTORY. LIST/HISTORY/SCAN/REF (#PCDATA) 


The scan report reference for the scan that triggered the ticket update event. 
Note: For a new ticket created by a user, a scan report reference is not returned. 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/HISTORY. LIST/HISTORY/SCAN/DATETIME (#PCDATA) 


The date and time of the scan that triggered the ticket update event, in 
YYYY-MM-DDTHH:MM:SSZ format (UTC/GMT). 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET/HISTORY_LIST/HISTORY/RULE (#PCDATA) 


The name of the policy rule that triggered the automatic ticket creation. 
/REMEDIATION_TICKETS/TICKET_LIST /TICKET/HISTORY_LIST/HISTORY/COMMENT (#PCDATA) 
Comments added to the ticket by Qualys users. 


Ticket List — Vulnerability Information 


XPath element specifications / notes 
/REMEDIATION_TICKETS/TICKET_LIST/TICKET/VULNINFO 


(TITLE, TYPE, OID, SEVERITY, STANDARD_SEVERITY, CVE_ID_LIST?, 
VENDOR_REF_LIST?) 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET/VULNINFO/TITLE (#PCDATA) 

The title of the vulnerability, from the Qualys KnowledgeBase. 
/REMEDIATION. TICKETS/TICKET. LIST/TICKET/VULNINFO/TYPE (#PCDATA) 

Type is VULN for a vulnerability, and POSS for a potential vulnerability. 
/REMEDIATION. TICKETS/TICKET. LIST/TICKET/VULNINFO/OID (#PCDATA) 


The Oualys ID (OID) assigned to the vulnerability, from the Oualys 
KnowledgeBase. 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/VULNINFO/SEVERITY (#PCDATA) 
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XPath element specifications / notes 


The current severity level assigned to the vulnerability. This severity level may be 
different from the standard severity level if it was customized by a Manager user. 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/VULNINFO/STANDARD SEVERITY (#PCDATA) 

The standard or initial severity level assigned to the vulnerability by Oualys. 
/ REMEDIATION, TICKETS/TICKET. LIST/TICKET/VULNINFO/CVE ID LIST (CVE ID+) 
/REMEDIATION. TICKETS/TICKET. LIST/TICKET/VULNINFO/CVE ID LIST/CVE ID (#PCDATA) 

A CVE name assigned to the vulnerability. 


CVE (Common Vulnerabilities and Exposures) is a list of common names for 
publicly known vulnerabilities and exposures. Through open and collaborative 
discussions, the CVE Editorial Board determines which vulnerabilities or 
exposures are included in CVE. If the CVE name starts with CAN (candidate) then 
itis under consideration for entry into CVE. 


/REMEDIATION. TICKETS/TICKET LIST/TICKET/VULNINFO/VENDOR. REE LIST (VENDOR. REF+) 
/REMEDIATION. TICKETS/TICKET. LIST/TICKET/VULNINFO/VENDOR. REF LIST/VENDOR. REF 
(#PCDATA) 


A vendor reference number assigned to the vulnerability. 


Ticket List — Vulnerability Details 


XPath element specifications / notes 
/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETAILS 


(DIAGNOSIS?, CONSEOUENCE?, SOLUTION?, CORRELATION?, RESULT?) 
/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETAILS/DIAGNOSIS (#PCDATA) 


A description of the threat that the vulnerability presents, from the Oualys 
KnowledgeBase. 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETAILS/CONSEOUENCES (#PCDATA) 


A description of the potential impact if this vulnerability is exploited, from the 
Oualys KnowledgeBase. 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETAILS/SOLUTION (#PCDATA) 


A verified solution to fix the vulnerability, from the Oualys KnowledgeBase. 
When virtual patch information is correlated with a vulnerability, the virtual 
patch information from Trend Micro appears under the heading “Virtual 
Patches:”. This includes a list of virtual patches and a link to more information. 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET / DETAILS/ CORRELATION 
(EXPLOITABILITY?, MALWARE?) 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETAILS/ CORRELATION / 
EXPLOITABILITY (EXPLT_SRC)+ 


The <EXPLOITABILITY> element and its sub-elements appear only when there is 
exploitability information for the vulnerability from third party vendors and/or 
publicly available sources. 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETAILS/ CORRELATION/ 
EXPLOITABILITY/EXPLT SRC (SRC NAME, EXPLT LIST) 
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XPath element specifications / notes 
/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETAILS/ CORRELATION / 
EXPLOITABILITY/EXPLT SRC/SRC NAME (#PCDATA) 


The name of a third party vendor or publicly available source of the vulnerability 
information. 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETAILS/ CORRELATION / 
EXPLOITABILITY/EXPLT. SRC/EXPLT LIST (EXPLT)+ 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETAILS/ CORRELATION / 
EXPLOITABILITY/EXPLT. SRC/EXPLT LIST/EXPLT (REF, DESC, LINK?) 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETAILS/ CORRELATION / 
EXPLOITABILITY /EXPLT_SRC/EXPLT_LIST/EXPLT/REF (#PCDATA) 


The CVE reference for the exploitability information. 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET /DETAILS/CORRELATION/ 
EXPLOITABILITY /EXPLT_SRC/EXPLT_LIST/EXPLT/DESC (#PCDATA) 


The description provided by the source of the exploitability information (third 
party vendor or publicly available source). 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETAILS/ CORRELATION / 
EXPLOITABILITY /EXPLT_SRC/EXPLT_LIST/EXPLT/LINK (#PCDATA) 


A link to the exploit, when available. 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET/DETAILS/CORRELATION/ 
MALWARE (MW_SRC)+ 


The <MALWARE> element and its sub-elements appear only when there is 
malware information for the vulnerability from Trend Micro. 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET / DETAILS/ CORRELATION / 
MALWARE/MW SRC (SRC_NAME, MW LIST) 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETAILS/ CORRELATION / 
MALWARE/MW SRC/SRC NAME — (*PCDATA) 


The name of the source of the malware information: Trend Micro. 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET / DETAILS/CORRELATION/ 
MALWARE/MW_SRC/MW_LIST (MW_INFO)+ 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET / DETAILS/CORRELATION/ 
MALWARE/MW_SRC/MW_LIST/MW_INFO 
(MW_ID, MW_TYPE?, MW_PLATFORM?, MW_ALIAS?, MW_RATING?, 
MW_LINK?) 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETAILS/ CORRELATION / 
MALWARE/MW. SRC/MW. LIST/MW INFO /MW_ID (#PCDATA) 


The malware name/ID assigned by Trend Micro. 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETAILS/ CORRELATION / 
MALWARE/MW. SRC/MW LIST/MW INFO /MW TYPE (#PCDATA) 


The type of malware, such as Backdoor, Virus, Worm or Trojan. 


/REMEDIATION. TICKETS/TICKET. LIST/ TICKET/DETAILS/ CORRELATION / 
MALWARE/MW. SRC/MW LIST/MW INFO /MW. PLATFORM  (#PCDATA) 


A list of the platforms that may be affected by the malware. 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETAILS/ CORRELATION / 
MALWARE/MW. SRC/MW LIST/MW INFO /MW. ALIAS (#PCDATA) 


A list of other names used by different vendors and/or publicly available sources 
to refer to the same threat. 


/REMEDIATION. TICKETS/TICKET. LIST/TICKET/DETAILS/ CORRELATION / 
MALWARE/MW. SRC/MW. LIST/MW INFO /MW RATING (4PCDATA) 
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XPath element specifications / notes 
The overall risk rating as determined by Trend Micro: Low, Medium or High. 


/REMEDIATION_TICKETS/TICKET_LIST/TICKET /DETAILS/CORRELATION/ 
MALWARE/MW_SRC/MW_LIST/MW_INFO /MW_LINK (#PCDATA) 


A link to malware details. 
/REMEDIATION_TICKETS/TICKET_LIST/TICKET/DETAILS/RESULT (#PCDATA) 


Specific scan test results for the vulnerability, from the host assessment data. 


attribute: format format is implied and if present, will be “table,” indicating that the results are a 
table that has columns separated by tabulation characters and rows separated 
by new-line characters 
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Ticket Edit Output 


API used 
<platform API server>/msp/ticket_edit.php 


DTD for Ticket Edit Output 
<platform API server>/ticket_edit_output.dtd 


A recent DTD is below. 


<!-- QUALYS TICKET EDIT OUTPUT DTD --> 


<!ELEMENT TICKET EDIT OUTPUT (ERROR | (HEADER, CHANGES, SKIPPED) ) > 


<!-- Ticket Report error --> 
<!ELEMENT ERROR (#PCDATA) > 
<!ATTLIST ERROR number CDATA #IMPLIED> 


<!-- Information about the Ticket Report --> 

<!ELEMENT HEADER (USER LOGIN, COMPANY, DATETIME, UPDATE, WHERE) > 
<!ELEMENT USER LOGIN (#PCDATA) > 

<!ELEMENT COMPANY (#PCDATA) > 

<!ELEMENT DATETIME (#PCDATA) > 


] criteria --> 

<!ELEMENT UPDATE ((ASSIGNEE?, STATI 
<!ELEMENT ASSIGNEE (#PCDATA) > 
<!ELEMENT STATE (#PCDATA) > 
<!ELEMENT COMMENT (#PCDATA) > 

<!ELEMENT REOPEN IGNORED DAYS (#PCDATA) > 


A 
| 
I 
ti 
Q 
EE 
ct 


Fl 


?, COMMENT?, REOPEN IGNORED DAYS?)+) > 


T 


<!-- Search criteria --> 
<!ELEMENT WHERE ( (MODIFI D SINCE DATETIME?, UNMODIFIED SINCE DATETIME?, 

TICKET NUMBERS?, SINCE TICKET NUMBER?, 
UNTIL TICKET NUMBER?, STATES?, IPS?, ASSET GROUPS?, 


T 


NS CONTAINS?, NI 


TBIOS CONTAINS?, VULN SEVERITIES?, 


D 

POTENTIAL VULN SEVERITIES?, OVERDUE?, INVALID?, 
TICKET ASSIGNEE?, OIDS?, VULN TITLE CONTAINS?, 
VULN DETAILS CONTAINS?, VENDOR REF CONTAINS?) + 


<!ELEMENT MODIFIED SINCE DATETIME (#PCDATA) > 


> 


<!ELEMENT UNMODIFIED SINCE DATETIME (#PCDATA) > 
<!ELEMENT TICKET NUMBERS (#PCDATA) > 

<!ELEMENT SINCE TICKET NUMBER (#PCDATA) > 
<!ELEMENT UNTIL TICKET NUMBER (#PCDATA) > 
<!ELEMENT STATES (#PCDATA) > 

<!ELEMENT IPS (#PCDATA) > 

<!ELEMENT ASSET GROUPS (#PCDATA) > 

<!ELEMENT DNS CONTAINS (#PCDATA) > 

<!ELEMENT NETBIOS CONTAINS (#PCDATA) > 
<!ELEMENT VULN SEVERITIES (#PCDATA) > 

<!ELEMENT POTENTIAL VULN SEVERITIES (#PCDATA) > 
<!ELEMENT OVERDUE (#PCDATA) > 


294 


Gualys API (VM, PC) XML/DTD Reference 
Chapter 8 - VM Remediation Tickets XML 


<!ELEMENT INVALID (#PCDATA) > 

<!ELEMENT TICKET ASSIGNEE (#PCDATA) > 
<!ELEMENT QIDS (#PCDATA) > 

<!ELEMENT VULN TITLE CONTAINS (#PCDATA) > 
<!ELEMENT VULN DETAILS CONTAINS (#PCDATA) > 
<!ELEMENT VENDOR_REF CONTAINS (#PCDATA) > 


<!-- AVOID COLISIONS BETWEEN LISTS ABOVE AND BELOW! --> 
<!ELEMENT CHANGES (TICKET NUMBER LIST) ?> 
<!ATTLIST CHANGES count CDATA #IMPLIED> 


T 


<!ELEMENT TICKET NUMBER LIST (TICKET_NUMBER+)> 
<!ELEMENT TICKET_NUMBER (#PCDATA)> 


T 


<!ELEMENT SKIPPI 
<!ATTLIST SKIPP] 


D (TICKET_LIST)?> 
D count CDATA #IMPLIED> 


m 
E, 
m 
E 


<!ELEMENT TICKET_LIST (TICKET+)> 
<!ELEMENT TICKET (NUMBER, REASON)> 
<!ELEMENT NUMBER (#PCDATA)> 
<!ELEMENT REASON (#PCDATA)> 


m 
E, 
H 
E, 


XPaths for Edit Ticket Output 


Edit Ticket Output — Header Information 


XPath element specifications / notes 
/TICKET_EDIT_OUTPUT (ERROR | (HEADER, CHANGES, SKIPPED)) 
/TICKET_EDIT_OUTPUT/ERROR (#PCDATA) 

attribute: number number is implied and, if present, is an error code. 


/TICKET_EDIT_OUTPUT/HEADER (USER_LOGIN, COMPANY, DATETIME, UPDATE, WHERE) 
/TICKET_EDIT_OUTPUT/HEADER/USER_LOGIN (#PCDATA) 

The Qualys user login name for the user that issued the ticket edit request. 
/TICKET_EDIT_OUTPUT/HEADER/COMPANY (#PCDATA) 

The company associated with the Qualys user. 
/TICKET_EDIT_OUTPUT/HEADER/DATETIME (#PCDATA) 


The date and time of the ticket edit request. The date appears in YYYY-MM- 
DDTHH:MM:SSZ format (UTC/GMT). 


/TICKET. EDIT. OUTPUT/HEADER/UPDATE 
((ASSIGNEE?, STATE?, COMMENT?, REOPEN_IGNORED_DAYS?)+) 


The ticket update parameters specified with the ticket_edit.php request are 
described below. 


/TICKET_EDIT_OUTPUT/HEADER/UPDATE/ASSIGNEE — (HPCDATA) 


The user login ID of the current ticket assignee. The ticket assignee was updated 
by the ticket edit request. 
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XPath element specifications / notes 
/TICKET EDIT OUTPUT/HEADER/UPDATE/STATE (#PCDATA) 


The current ticket state. The ticket state was updated by the ticket edit reguest. A 
possible value is OPEN (for state /status Open and Open/Reopened), RESOLVED 
(for state Resolved), or IGNORED (for state/status Closed /Ignored). 


/TICKET. EDIT. OUTPUT/HEADER/UPDATE/COMMENT  (#PCDATA) 


A ticket comment. This comment was added by the ticket edit reguest. 
/ TICKET. EDIT. OUTPUT/HEADER/UPDATE/REOPEN IGNORED DAYS (#PCDATA) 


The number of days when the Closed /Ignored ticket will be reopened. The 
number was set by the ticket edit reguest. 


/TICKET. EDIT. OUTPUT/HEADER/WHERE 


((MODIFIED. SINCE. DATETIME?, UNMODIFIED. SINCE. DATETIME?, 
TICKET. NUMBERS?, SINCE. TICKET. NUMBER?, UNTIL. TICKET. NUMBER?, 
STATES?, IPS?, ASSET_GROUPS?, DNS_CONTAINS?, NETBIOS_CONTAINS?, 
VULN_SEVERITIES?, POTENTIAL_VULN_SEVERITIES?, OVERDUE?, 
INVALID?, TICKET_ASSIGNEE?, QIDS?, VULN_TITLE_CONTAINS?, 
VULN_DETAILS_CONTAINS?, VENDOR_REF_CONTAINS?) +) 


The ticket selection parameters specified with the ticket_edit.php request are 
described below. 


/TICKET. EDIT. OUTPUT/HEADER/WHERE/MODIFIED SINCE DATETIME (#PCDATA) 


The start date/time of a time window when tickets were modified. The end of the 
time window is the date/time when the API function was run. Only tickets 
modified within this time window were selected. 
The date/time appears in YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT). 

/ TICKET. EDIT. OUTPUT/HEADER/WHERE/UNMODIFIED SINCE DATETIME (#PCDATA) 


The start date/time of a time window when tickets were not modified. The end of 
the time window is the date/time when the API function was run. Only tickets 
that were not modified within this time window were selected. 


The date/time appears in YYYY-MM-DD[THH:MM:SSZ] format (UTC/GMT). 
/ TICKET. EDIT OUTPUT/HEADER/WHERE/TICKET NUMBERS (#PCDATA) 


One or more ticket numbers and/or ranges were selected. Ticket range start and 
end is separated by a dash (-). 


/ TICKET. EDIT. OUTPUT/HEADER/WHERE/SINCE TICKET NUMBER (#PCDATA) 


The lowest ticket number selected. Selected tickets have numbers greater than or 
egual to the ticket number specified. 


/TICKET. EDIT. OUTPUT/HEADER/WHERE/UNTIL TICKET NUMBER (#PCDATA) 


The highest ticket number selected. Selected tickets have numbers less than or 
egual to the ticket number specified. 


/TICKET. EDIT. OUTPUT/HEADER/WHERE/STATES (#PCDATA) 


The selected ticket states. Possible values are OPEN (for state/status Open or 
Open/Reopened), RESOLVED (for state Resolved), CLOSED (for state/status 
Closed/Fixed) and IGNORED (for state/status Closed /Ignored). 


/TICKET. EDIT OUTPUT/HEADER/WHERE/IPS (#PCDATA) 


The selected IP addresses and/or ranges. Tickets on these IP addresses/ranges 
were selected. 
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XPath element specifications / notes 
/TICKET. EDIT OUTPUT/HEADER/WHERE/ASSET. GROUPS (#PCDATA) 


The title of one or more selected asset groups. Tickets on IPs in these asset groups 
were selected. 


/TICKET. EDIT. OUTPUT/HEADER/WHERE/DNS CONTAINS (#PCDATA) 


A text string contained within the DNS host name. Tickets with a DNS host name 
containing this text string were selected. 


/ TICKET. EDIT. OUTPUT/HEADER/WHERE/NETBIOS. CONTAINS (#PCDATA) 


A text string contained within the NetBIOS host name. Tickets with a NetBIOS 
host name containing this text string were selected. 


/TICKET. EDIT. OUTPUT/HEADER/WHERE/VULN SEVERITIES (#PCDATA) 


One or more vulnerability severity levels. Tickets with vulnerabilities having 
these severity levels were selected. 


/TICKET. EDIT. OUTPUT/HEADER/WHERE/POTENTIAL VULN SEVERITIES (#PCDATA) 


One or more potential vulnerability severity levels. Tickets with potential 
vulnerabilities having these severity levels were selected. 


/TICKET. EDIT OUTPUT/HEADER/WHERE/OVERDUE (#PCDATA) 


The value 1 indicates that only overdue tickets were selected. The value 0 
indicates that only non-overdue tickets were selected. 


/TICKET. EDIT OUTPUT/HEADER/WHERE/INVALID  (#PCDATA) 


The value 1 indicates that only invalid tickets were selected. The value 0 indicates 
that only valid tickets that were selected. 


/ TICKET. EDIT OUTPUT/HEADER/WHERE/TICKET. ASSIGNEE (#PCDATA) 


The user login of an active account who is the ticket assignee. Tickets with this 
assignee were selected. 


/ TICKET. EDIT OUTPUT/HEADER/WHERE/OIDS (#PCDATA) 
One or more Oualys IDs (OIDs). Tickets with these OIDs were selected. 
/ TICKET. EDIT OUTPUT/HEADER/WHERE/VULN TITLE CONTAINS (#PCDATA) 


A text string contained within the vulnerability title. Tickets with vulnerabilities 
containing this text string were selected. 


/TICKET. EDIT. OUTPUT/HEADER/WHERE/VULN. DETAILS CONTAINS (#PCDATA) 


A text string contained within vulnerability details. Tickets with vulnerability 
details containing this text string were selected. 


/ TICKET. EDIT. OUTPUT/HEADER/WHERE/VENDOR REF CONTAINS (#PCDATA) 


A text string contained within a vendor reference for the vulnerability. Tickets 
with a vendor reference containing this text string were selected. 


Ticket Edit Output — Changed and Skipped Tickets 


XPath element specifications / notes 
/TICKET. EDIT OUTPUT/CHANGES - (TICKET. NUMBER. LIST) 
attribute: count count is implied and, if present, is the total number of tickets that were edited. 


/ TICKET. EDIT. OUTPUT/CHANGES/TICKET. NUMBER LIST (TICKET. NUMBER +) 
/ TICKET. EDIT. OUTPUT/CHANGES/TICKET. NUMBER LIST/TICKET NUMBER (#PCDATA) 


The number of a ticket that was changed. 
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XPath element specifications / notes 
/TICKET. EDIT OUTPUT/SKIPPED (TICKET. LIST) 


attribute: count count is implied and, if present, is the total number of tickets that were not changed 
for some reason. 


/TICKET. EDIT. OUTPUT/SKIPPED/TICKET LIST (TICKET+) 
/ TICKET. EDIT. OUTPUT/SKIPPED/TICKET LIST/TICKET (NUMBER, REASON) 
/TICKET. EDIT. OUTPUT/SKIPPED/TICKET. LIST/TICKET /NUMBER (#PCDATA) 


The number of a ticket that was not changed for some reason. 
/ TICKET. EDIT OUTPUT/SKIPPED/TICKET LIST/TICKET /REASON (#PCDATA) 


The reason why the ticket identified in the NUMBER element was not changed. 
Possible reasons are: 

“Nothing to change” 

“Ticket not found (# ticket number)” 

“Ticket cannot be moved from Closed into Resolved state” 

“The IP in this ticket is not in the user's account” 

“Mid-air collision detected” 


Note: The "Mid-air collision detected" reason is returned when two Qualys 
entities (end users, API requests, and/or the service itself) attempts to change a 
ticket at the same time. In this case, the first request is processed and any 
additional requests return an error. 


Ticket Delete Output 


API used 
<platform API server>/msp/ticket_delete.php 


DTD for Ticket Delete Output 


<platform API server>/patch_scorecard.dtd 


A recent DTD is below. 
<!-- QUALYS TICKET DELETE OUTPUT DTD --> 
<!ELEMENT TICKET DELETE OUTPUT (ERROR | (HEADER, RETURN?) ?) > 
<!-- Ticket Report error --> 
<!ELEMENT ERROR (#PCDATA) > 


<!ATTLIST ERROR number CDATA #IMPLIED> 


it 


<!-- Information about the Ticket Report --> 

<!ELEMENT HEADER (USER LOGIN, COMPANY, DATETIME, WHERE) > 
<!ELEMENT USER_LOGIN (#PCDATA)> 

<!ELEMENT COMPANY (#PCDATA)> 

<!ELEMENT DATETIME (#PCDATA)> 


<!-- Search criteria --> 

<!ELEMENT WHERE ( (MODIFIED SINCE DATETIME?, UNMODIFIED SINCE DATETIME?, 
TICKET NUMBERS?, SINCE TICKET NUMBER?, 
UNTIL TICKET NUMBER?, STATES?, IPS?, ASSET GROUPS?, 
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DNS CONTAINS?, NETBIOS CONTAINS?, VULN SEVERITIES?, 
POTENTIAL VULN SEVERITIES?, OVERDUE?, INVALID?, 
TICKET ASSIGNEE?, OIDS?, VULN TITLE CONTAINS?, 

VULN DETAILS CONTAINS?, VENDOR REF CONTAINS?)+) > 


T MODIFIED SINCE DATETIME (#PCDATA) > 


ED SINCE DATETIME (#PCDATA) > 


ICKET NUMBERS (#PCDATA) > 


PCDATA) > 


ER (#PCDATA) > 


A 
Zz 
Q 
A 
A 
A 
Zz 
a 
v W W | 
3 


TATES (#PCDATA) 


PS (#PCDATA) > 


ET GROUPS (#PCDATA) > 


S 
S_CONTAINS (#PCDATA)> 


Zn 


T 


TBIOS_CONTAINS (#PCDATA) > 


N SEVERITIES (#PCDATA)> 


[a 


QO 


TENTIAL VULN SEVERITIES (#PCDATA) > 


Ov Z0UPrPHNGQMNHG 


< 
ps) 


DUE PCDATA) > 


< 
> 
E 

E 
El 


PCDATA) > 


Q 
A 
Gl 

3 


ASSIGNEE (#PCDATA) > 


H 


DS (#PCDATA)> 


N TITLE CONTAINS (#PCDATA)> 


€ 


N DETAILS CONTAINS (#PCDATA) > 


3232222232222 232322322322323=2=23% 


< < < OHH 


ENDOR REF CONTAINS (#PCDATA)> 


EMENT RETURN (MESSAGE?, CHANGES?) > 


ETURN 
tatus (FAILED|SUCCESS|WARNING) #REQUIRED 
umber CDATA #IMPLIED> 


R 
PTLIST R 
S 
n 


EMENT MESSAGE (#PCDATA)> 


EMENT CHANGES (TICKET NUMBER LIST) > 


m 
B, 
m 
E, 


'TLIST CHANGES 
count CDATA #REQUIRED> 


x 


EMENT TICKET NUMBER LIST (TICKET NUMBER+) > 


EMENT TICK 


T 


T_NUMBER (#PCDATA)> 
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XPaths for Ticket Delete Output 


XPath 


element specifications / notes 


/ TICKET. DELETE. OU 


TPU 


T (ERROR | (HEADER, RETURN?)?) 


/TICKET_DELETE_OU 


attribute: number 


TPU 


T/ERROR (#PCDATA) 


number is implied and, if present, is an error code. 


/TICKET_DELETE_OU 


TPU 


T/HEADER (USER. LOGIN, COMPANY, DATETIME, WHERE) 


/TICKET. DELETE OU 


TPU 


T/HEADER/USER LOGIN (#PCDATA) 


The Oualys user login name for the user who reguested the delete function. 


/TICKET. DELETE OU 


TPU 


T/HEADER/COMPANY (#PCDATA) 


The company associated with the Oualys user. 


/TICKET. DELETE OU 


TPU 


T/HEADER/DATETIME (#PCDATA) 


The date and time when the function was run. The date appears in YYYY-MM- 
DDTHH:MM:SSZ format (UTC/GMT) like this: 
“2005-01-10T02:33:11Z”. 


/TICKET_DELETE_OUTPUT/HEADER/WHERE 


((MODIFIED_SINCE_DATETIME?, UNMODIFIED_SINCE_DATETIME?, 
TICKET_NUMBERS?, SINCE_TICKET_NUMBER?, UNTIL. TICKET. NUMBER?, 
STATES?, IPS?, ASSET_GROUPS?, DNS_CONTAINS?, NETBIOS_CONTAINS?, 
VULN_SEVERITIES?, POTENTIAL_VULN_SEVERITIES?, OVERDUE?, 
INVALID?, TICKET. ASSIGNEE?, QIDS?, VULN_TITLE_CONTAINS?, 

VULN. DETAILS CONTAINS?, VENDOR. REF CONTAINS?) +) 


The ticket selection parameters specified with the ticket delete.php reguest are 
described below. 


/ TICKET. DELETE OUTPUT/HEADER/WHERE/MODIFIED SINCE DATETIME (#PCDATA) 


The start date/time of a time window when tickets were modified. The end of the 
time window is the date/time when the API function was run. Only tickets 
modified within this time window were selected. 


The start date/time appears in YYYY-MM-DD[THH:MM:SSZ] format 
(UTC/GMT). 


/TICKET. DELETE OUTPUT/HEADER/WHERE/UNMODIFIED SINCE DATETIME (#PCDATA) 


The start date/time of the time window when tickets were not modified. The end 
of the time window is the date/time when the API function was run. Only tickets 
that were not modified within this time window were retrieved. 


The start date/time appears in YYYY-MM-DD[THH:MM:SSZ] format 
(UTC/GMT). 


/TICKET_DELETE_OU 


TPU 


T/HEADER/WHERE/TICKET_NUMBERS (#PCDATA) 


One or more ticket numbers and/or ranges. Ticket range start and end is 
separated by a dash (-). 


/TICKET_DELETE_OU 


TPU 


T/HEADER/WHERE/SINCE TICKET NUMBER (#PCDATA) 


The lowest ticket number selected. Selected tickets have numbers greater than or 
egual to the ticket number specified. 


/TICKET. DELETE OU 


TPU 


T/HEADER/WHERE/UNTIL TICKET NUMBER (#PCDATA) 


The highest ticket number selected. Selected tickets have numbers less than or 
egual to the ticket number specified. 
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element specifications / notes 


/TICKET_DELETE_OUTPUT/HEADER/WHERE/STATES 


(#PCDATA) 


The selected ticket states. Possible values are OPEN (for state/status Open or 
Open/Reopened), RESOLVED (for state Resolved), CLOSED (for state/status 
Closed/Fixed) and IGNORED (for state/status Closed /Ignored). 


/TICKET. DELETE OU 


TPU 


T/HEADER/WHERE/IPS (#PCDATA) 


The selected IP addresses and/or ranges. Tickets on these IP addresses and/or 
ranges were selected. 


/TICKET. DELETE OU 


TPU 


T/HEADER/WHERE/ASSET. GROUPS (#PCDATA) 


The title of one or more selected asset groups. Tickets on IP addresses in these 
asset groups were selected. 


/ TICKET. DELETE OU 


TPU 


T/HEADER/WHERE/DNS CONTAINS (#PCDATA) 


A text string contained within the DNS host name. Tickets with a DNS host name 
containing this string were selected. 


/TICKET. DELETE OU 


TPU 


T/HEADER/WHERE/NETBIOS CONTAINS (#PCDATA) 


A text string contained within the NetBIOS host name. Tickets with a NetBIOS 
host name containing this string were selected. 


/TICKET. DELETE OU 


TPU 


T/HEADER/WHERE/VULN_SEVERITIES (#PCDATA) 


One or more vulnerability severity levels. Tickets with vulnerabilities having 
these severity levels were selected. 


/TICKET. DELETE OU 


TPU 


T/HEADER/WHERE/POTENTIAL VULN SEVERITIES (#PCDATA) 


One or more potential vulnerability severity levels. Tickets with potential 
vulnerabilities having these severity levels were selected. 


/TICKET. DELETE OU 


TPU 


T/HEADER/WHERE/OVERDUE (#PCDATA) 


The value 1 indicates that only overdue tickets were selected. The value 0 
indicates that only non-overdue tickets were selected. 


/ TICKET. DELETE OU 


TPU 


T/HEADER/WHERE/INVALID (#PCDATA) 


The value 1 indicates that only invalid tickets were selected. The value 0 indicates 
that only valid tickets were selected. 


/TICKET. DELETE OU 


TPU 


T/HEADER/WHERE/TICKET_ASSIGNEE (#PCDATA) 


The user login of an active account who is the ticket assignee. Tickets with this 
assignee were selected. 


/ TICKET. DELETE. OU 


TPU 


T/HEADER/WHERE/QIDS (#PCDATA) 
One or more Oualys IDs (OIDs). Tickets with these OIDs were selected. 


/TICKET. DELETE OU 


TPU 


T/HEADER/WHERE/VULN. TITLE CONTAINS (#PCDATA) 


A text string contained within the vulnerability title. Tickets with vulnerabilities 
containing this text string were selected. 


/TICKET. DELETE OU 


TPU 


T/HEADER/WHERE/VULN. DETAILS CONTAINS (#PCDATA) 


A text string contained within vulnerability details. Tickets with vulnerability 
details containing this text string were selected. 


/TICKET. DELETE OU 


TPU 


T/HEADER/WHERE/VENDOR. REF CONTAINS (#PCDATA) 


A text string contained within a vendor reference for the vulnerability. Tickets 
with a vendor reference containing this text string were selected. 


/ TICKET. DELETE. OU 
attribute: status 


attribute: number 


TPU 


T/RETURN (MESSAGE?, CHANGES?) 
status is reguired and is a status code, either SUCCESS, FAILED, or WARNING. 


number is implied and, if present, is an error code. 
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XPath element specifications / notes 
/TICKET_DELETE_OUTPUT/RETURN/MESSAGE  (#PCDATA) 


A descriptive message that corresponds to the status code. 
/ TICKET. DELETE OUTPUT/RETURN/CHANGES — (TICKET. NUMBER LIST) 
attribute: count count is implied and, if present, is the total number of tickets that were deleted. 
/TICKET. DELETE OUTPUT/RETURN/CHANGES/TICKET. NUMBER LIST (TICKET. NUMBER +) 
/ TICKET. DELETE OUTPUT/RETURN/CHANGES/TICKET. NUMBER. LIST/TICKET NUMBER (#PCDATA) 


A single ticket number that was deleted. 


Deleted Ticket List Output 


API used 
<platform API server>/msp/ticket list deleted.php 


DTD for Deleted Ticket List Output 
<platform API server>/ticket list deleted output.dtd 


A recent DTD is below. 


5 


<!-- QUALYS TICKET LIST DELETED OUTPUT DTD --> 


<!ELEMENT TICKET LIST DELETED OUTPUT 


( (HEADER, (TICKET LIST|ERROR|TRUNCATION)*) | ERROR) > 


<!-- Ticket Report error --> 
<!ELEMENT ERROR (#PCDATA) > 
<!ATTLIST ERROR number CDATA #IMPLIED> 


<!-- Truncation warning --> 
<!ELEMENT TRUNCATION (#PCDATA) > 
<!ATTLIST TRUNCATION last CDATA #IMPLIED> 


<!-- Information about the Ticket Report --> 

<!ELEMENT HEADER (USER LOGIN, COMPANY, DATETIME, WHERE) > 
<!ELEMENT USER LOGIN (#PCDATA) > 

<!ELEMENT COMPANY (#PCDATA) > 

<!ELEMENT DATETIME (#PCDATA) > 


<!-- Search criteria --> 

<!ELEMENT WHERE ( (DELETED SINCE DATETIME?, DELETED BEFORE DATETIME?, 

SINCE TICKET NUMBER?, UNTIL TICKET NUMBER?, 
> 


TICKET NUMBERS?) +) > 
<!ELEMENT DELETED SINCE DATETIME (#PCDATA) > 
<!ELEMENT DELETED BEFORE DATETIME (#PCDATA) > 
<!ELEMENT SINCE TICKET NUMBER (#PCDATA) > 
<!ELEMENT UNTIL TICKET NUMBER (#PCDATA) > 
<!ELEMENT TICKET NUMBERS (#PCDATA) > 
<!-- Ticket information --> 
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(TICKET+) > 

(NUMBER, DELETION DAT 
(#PCDATA) > 
TIM 


ETIM 


F 


PCDATA) > 


XPaths for Deleted Ticket List Output 


Deleted Ticket List - Header Information 


XPath 


element specifications / notes 


/TICKET_LIST_DELETED_OU 


TPU 


T 
((HEADER,(TICKET_LIST | ERROR | TRUNCATION)*) | ERROR) 


/TICKET_LIST_DELETED_OU 


attribute: number 


TPU 


T/ERROR (#PCDATA) 


number is implied and if present, is an error code. 


/TICKET_LIST_DELETED_OU 


attribute: last 


TPU 


T/TRUNCATION (#PCDATA) 


last is implied and if present, is the last ticket number included in the deleted ticket 
list. This list is truncated after 1000 records. 


/TICKET_LIST_DELETED_OU 


TPU 


T/HEADER 
(USER_LOGIN, COMPANY, DATETIME, WHERE) 


/TICKET_LIST_DELETED_OU 


TPU 


T/HEADER/USER_LOGIN 
The Qualys user login for the user that requested the deleted ticket list. 


/TICKET_LIST_DELETED_OU 


TPU 


T/HEADER/COMPANY 


The company associated with the Qualys user. 


/TICKET_LIST_DELETED_OU 


TPU 


T/HEADER/DATETIME 


The date and time when the ticket list report was requested, in 
YYYY-MM-DDTHH:MM:SSZ format (UTC/GMT). 


/TICKET. LIST. DELETED. OU 


TPU 


T/HEADER/WHERE 


((DELETED SINCE DATETIME?, DELETED. BEFORE DATETIME?, 
SINCE. TICKET. NUMBER?, UNTIL, TICKET. NUMBER?, TICKET. NUMBERS?) +) 


Ticket selection parameters specified as part of the ticket, list deleted.php reguest. 


/TICKET. LIST. DELETED. OU 


TPU 


T/HEADER/WHERE/DELETED SINCE DATETIME (#PCDATA) 


Tickets deleted since this date/time, in YYYY-MM-DD[THH:MM:SSZ] format 
(UTC/GMT). 


/TICKET. LIST. DELETED. OU 


TPU 


T/HEADER/WHERE/DELETED BEFORE DATETIME (#PCDATA) 


Tickets deleted since this date/time, in YYYY-MM-DD[THH:MM:SSZ] format 
(UTC/GMT). 


/TICKET. LIST. DELETED. OU 


TPU 


T/HEADER/WHERE/SINCE TICKET NUMBER (#PCDATA) 


Tickets since this ticket number. Selected tickets will have numbers greater than or 
egual to the ticket number specified. 


/TICKET. LIST. DELETED. OU 


TPU 


T/HEADER/WHERE/UNTIL TICKET NUMBER (#PCDATA) 


Tickets until this ticket number. Selected tickets will have numbers less than or 
egual to the ticket number specified. 
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XPath element specifications / notes 
/TICKET. LIST DELETED OUTPUT/HEADER/WHERE/TICKET NUMBERS (#PCDATA) 


Tickets with certain ticket numbers. One or more ticket numbers and/or ranges. 
Ticket range start and end is separated by a dash (-). 


Deleted Ticket List - General Ticket Information 


XPath element specifications / notes 
/TICKET LIST DELETED OUTPUT/TICKET LIST (TICKET+) 


/TICKET LIST DELETED OUTPUT/TICKET LIST/TICKET (NUMBER, DELETION. DATETIME) 
/TICKET LIST DELETED OUTPUT/TICKET LIST/TICKET/NUMBER (#PCDATA) 

The total number of deleted tickets. 
/TICKET LIST DELETED OUTPUT/TICKET LIST/TICKET/DELETION DATETIME (#PCDATA) 


The date when the ticket was deleted, in YYYY-MM-DDTHH:MM:SSZ 
format (UTC/GMT). 


Get Ticket Information Report 


API used 
<platform API server>/msp/get_tickets.php 


DTD for Get Ticket Info Output 
<platform API server>/remediation_tickets.dtd 


A recent DTD is below. 


<!-- QUALYS REMEDIATION TICKET INFO DTD --> 
<!ELEMENT REMEDIATION TICKETS ( (HEADER, ACCOUNT, (TICKET|ERROR)*) | ERROR) 
> 
<!-- Ticket Report error --> 
<!ELEMENT ERROR (#PCDATA) > 
<!ATTLIST ERROR number CDATA #IMPLIED > 
<!-- Information about the Ticket Report --> 
<!ELEMENT HEADER (KEY+) > 
<!-- Header Keys, e.g. 
USERNAME: corp xxn 


COMPANY: <! [CDATA [corp name] ]> 
DATE: yyyy-dd-mm-ddThh-mm-ssZ 


<!ELEMENT KEY (#PCDATA) > 
<!ATTLIST KEY 
value CDATA #IMPLIED > 


<!-- Account information --> 
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<!ATTLIST ACCOUNT 


<!ATTLIST TICK 
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¡ELEMENT ACCOUNT EMPTY > 


account-id CDATA #REQUIRED> 


¡ELEMENT TICK 


T (ASSIGNEE+, HOST, STATS?,HISTORY+, VULNINFO?, DETAILS?) > 


a 


m 
B, 
p 
E, 


ei 


number NMTOKEN #REQUIRED 
created CDATA #IMPLIED 

due CDATA #IMPLIED 
state CDATA #REQUIRED 
status CDATA #IMPLIED 
ticket-id CDATA #REQUIRED 


<!-- Ticket Assignee - content is QualysGuard user login ID --> 


<!ATTLIST ASSIGNEE 


!ELEMENT ASSIGNEE (#PCDATA) > 


name CDATA #REQUIRED 
email CDATA #REQUIRED 


<!-- Target Asset --> 


<!ATTLIST HOST 


!ELEMENT HOST (DNSNAME?, NBHNAME?, PORT?, SERVICE?, PROTOCOL?, FODN?,SSL?) > 


ip CDATA #REQUIRED> 


<!-- DNS Hostname --> 


!ELEMENT DNSNAME (#PCDATA) > 
!-- NetBios Hostname --> 
!ELEMENT NBHNAME (#PCDATA) > 
!'-- TCP Port of the vuln ==> 
!ELEMENT PORT (#PCDATA) > 

!'-- service name on the host--> 


¡ELEMENT SERVICE (#PCDATA) > 
l-- Protocol --> 

ELEMENT PROTOCOL (#PCDATA) > 
-- FQDN --> 

ELEMENT FODN (#PCDATA) > 


!-- was this found using SSL --> 
¡ELEMENT SSL (#PCDATA) > 


!-- Ticket Statistics --> 
¡ELEMENT STATS EMPTY > 


<!ATTLIST STATS 


first-found CDATA #REQUIRED 
last-found CDATA #REQUIRED 
last-scan CDATA #REQUIRED 
times-found CDATA #REQUIRED 
times-not-found CDATA #REQUIRED 
last-open CDATA #REQUIRED 
last-resolved CDATA #IMPLIED 
last-closed CDATA #IMPLIED 

last-ignored CDATA #IMPLIE 
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<!-- Ticket History --> 

<!ELEMENT HISTORY 

(STATE?, ADDED ASSIGNEES?, REMOVED ASSIGN 

<!ATTLIST HISTORY 
added NMTOKEN #REQUIRED 
by CDATA #REQUIRED> 


T 


ES?, SCAN?, RULE?, COMMENT?) > 


<!-- Ticket state/status --> 

<!ELEMENT STATE EMPTY > 

<!ATTLIST STATE 
old-state CDATA IMP 
new-state CDATA #IMP 


IED 


H 

=] 
CO 
V 


<!-- added assignees --> 
<!ELEMENT ADDED ASSIGNEES (ASSIGNEE+) > 


<!-- added assignees --> 
<!ELEMENT REMOVED ASSIGN 


T 
T 


ES (ASSIGNEE+) > 


<!-- Scan Repor 
<!ELEMENT SCAN 
<!ATTLIST SCAN 
ref CDATA #REQUIRED 
date CDATA #REQUIRED 


that triggered ticket policy --> 
PTY 2 


m A 


> 

<!-- Ticket Creation Rule (Policy) --> 
<!ELEMENT RULE (#PCDATA) > 

<!-- Ticket Comment --> 


<!ELEMENT COMMENT (#PCDATA) > 


<!-- Ticket Vulnerability Information --> 

<!ELEMENT VULNINFO (TITLE, CVE*, VENDOR* ) > 

<!-- severity is Qualys severity level 1 to 5 (possibly customized) --> 
<!-- 


standard-severity is the original Qualys severity level 1 to 5 
if it has been customized by the user 
--> 
<!ATTLIST VULNINFO 
type (VULN| POSS) REQUIRED 
qid CDATA #REQUIRED 
severity CDATA #REQUIRED 
standard-severity CDATA #IMPLIED 


<!-- CVE ID and optional URI to CVE website --> 
<!ELEMENT CVE (#PCDATA) > 
<!ATTLIST CVE 

id CDATA #REQUIRED 


> 
siss 


Vendor Reference and optional URI to vendor website, 
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e.g. name and location of vendor patch from Microsoft, RedHat, SUSE, 
Sun 
--> 
<!ELEMENT VENDOR (#PCDATA) > 
<!ATTLIST VENDOR 
ref CDATA #REQUIRED> 
<!ELEMENT TITLE (#PCDATA) > 
<!-- Ticket Vulnerability Details --> 
<!ELEMENT DETAILS 
(DIAGNOSIS?, CONSEQUENCE?, SOLUTION?, CORRELATION?, RESULT?) > 
<!ELEMENT DIAGNOSIS (#PCDATA) > 
<!ELEMENT CONSEQUENCE (#PCDATA) > 
<!ELEMENT SOLUTION (#PCDATA) > 
<!ELEMENT CORRELATION (EXPLOITABILITY?,MALWARE?) > 
<!ELEMENT EXPLOITABILITY (EXPLT SRC) +> 
<!ELEMENT EXPLT SRC (SRC NAME, EXPLT LIST) > 
<!ELEMENT SRC NAME (#PCDATA) > 
<!ELEMENT EXPLT LIST (EXPLT) +> 
<!ELEMENT EXPLT (REF, DESC, LINK?) > 
<!ELEMENT REF (#PCDATA) > 
<!ELEMENT DESC (#PCDATA) > 
<!ELEMENT LINK (#PCDATA) > 
<!ELEMENT MALWARE (MW SRC) +> 
<!ELEMENT MW SRC (SRC NAME, MW LIST)> 
<!ELEMENT MW LIST (MW INFO) +> 
<!ELEMENT MW INFO (MW ID, MW TYPE?, MW PLATFORM?, MW ALIAS?, MW RATING?, 
W LINK?) > 
<!ELEMENT MW ID (#PCDATA) > 
<!ELEMENT MW TYPE (#PCDATA) > 
<!ELEMENT MW PLATFORM (#PCDATA) > 
<!ELEMENT MW ALIAS (#PCDATA) > 
<!ELEMENT MW RATING (#PCDATA) > 
<!ELEMENT MW LINK (#PCDATA) > 
<!ELEMENT RESULT (#PCDATA) > 
<L== 
If the "format" attribute is set to "table", then column 
values are separated by tab '\t', and rows are terminated 
by new line 'An'. 
==> 


<!ATTLIST RESULT 


format CDATA #IMPLIED 
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XPaths for Ticket Information Report 


Tickets - Header Information 
XPath element specifications / notes 
/REMEDIATION. TICKETS ((HEADER, ACCOUNT TICKET*) | ERROR) 
/REMEDIATION_TICKETS/HEADER 
(KEY)+ 
/REMEDIATION_TICKETS/HEADER/KEY 
attribute: value value is implied and, if present, will be one of the following: 
USERNAME .................. The Qualys user login name for the user that requested 
the ticket report. 
COMPANY The company associated with the Qualys user. 


The date when the ticket report was requested in 
YYYY-MM-DDTHH:MM:SSZ format (UTC/GMT). 


/REMEDIATION_TICKETS/ ACCOUNT 


attribute: account-id account-id is required and will be the MD5 hash of the Qualys subscription ID 
associated with the Qualys user account specified in the header key 
USERNAME. 


/REMEDIATION_TICKETS/ERROR 


attribute: number number is implied and, if present, is an error code. 


Tickets - General Ticket Information 


XPath element specifications / notes 
/REMEDIATION_TICKETS/TICKET 


(ASSIGNEE+,HOST,STATS?, HISTORY+,VULNINFO?,DETAILS?) 


attribute: number value is required and is the remediation ticket number that appears in the Qualys 
user interface. 


attribute: created created is implied, and if present, will be the date when the ticket was first created 
in YYYY-MM-DDTHH:MM:SSZ format (UTC/GMT). 

attribute: due due is implied, and if present, will be the due date for ticket resolution in YYYY- 
MM-DDTHH:MM:SSZ format (UTC/GMT). 

attribute: state state is required and will be the current ticket state: OPEN, RESOLVED, or 
CLOSED. 

attribute: status status is implied, and if present, will be the current ticket status: REOPENED, 
FIXED, IGNORED. 

attribute: ticket-id ticket-id is required and will be the unique ID of the remediation ticket, used to 


identify the ticket within the Qualys application. 
/REMEDIATION_TICKETS/TICKET / ASSIGNEE 


The user login name of the assignee’s Qualys user account. 


attribute: name name is required and is the full name (first and last) of the assignee, as defined in 
the assignee’s Qualys user account. 


attribute: email email is required and is the email address of the assignee, as defined in the 
assignee’s Qualys user account. 


/REMEDIATION_TICKETS/TICKET/COMMENT 


Comments added to the ticket by Qualys users. 
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Tickets - Host Information 


XPath element specifications / notes 
/REMEDIATION. TICKETS/TICKET/HOST 


(DNSNAME?,NBHNAME?,PORT?,SERVICE?,PROTOCOL?,FODN?,SSL?) 


attribute: ip ip is reguired and is the IP address that the ticket applies to, the IP address on 
which the vulnerability was detected. 


/REMEDIATION. TICKETS/TICKET/HOST/DNSNAME 

The registered DNS host name. 

/REMEDIATION. TICKETS/TICKET/HOST/NBHNAME 

The Microsoft Windows NetBIOS host name. 
/REMEDIATION. TICKETS/TICKET/HOST/PORT 

The TCP port on which the vulnerability was detected. 
/REMEDIATION. TICKETS/TICKET/HOST/SERVICE 


The service name of the host, found during information gathering. 
/REMEDIATION_TICKETS/TICKET /HOST/PROTOCOL 

The protocol running on the host, when known. 
/REMEDIATION_TICKETS/TICKET /HOST/FQDN 

The fully qualified domain name of the host, when known. 
/REMEDIATION. TICKETS/TICKET/HOST/SSL 


A flag indicating whether SSL was present on this host when known. If SSL was 
present, the SSL element appears with the value TRUE. 


Tickets - Statistics and History 


XPath element specifications / notes 
/REMEDIATION. TICKETS/TICKET/STATS 
attribute: first-found first-found is reguired and will be the date and time when the vulnerability was 
first detected on the host, in YYYY-MM-DDTHH:MM:SSZ format 
(UTC/GMT) 
attribute: last-found last-found is reguired and will be the date and time when the vulnerability was last 


detected on the host (from the most recent scan), in YYYY-MM- 
DDTHH:MM:SSZ format (UTC/GMT) 


attribute: last-scan last-scan is reguired and will be the date and time of the most recent scan of the 
host, in YYYY-MM-DDTHH:MM:SSZ format (UTC/GMT) 

attribute: times-found times-found is required and will be the total number of times the vulnerability was 
detected on the host 

attribute: times-not-found times-not-found is required and will be the total number of times the host was 
scanned and the vulnerability not detected 

attribute: last-open last-open is required and will be the date of the most recent scan which caused the 
ticket state to be changed to Open, in YYYY-MM-DDTHH:MM:SSZ format 
(UTC/GMT) 

attribute: last-resolved last-resolved is implied, and if present, will be the date of the most recent scan 


which caused the ticket state to be changed to Resolved, in YYYY-MM- 
DDTHH:MM:SSZ format (UTC/GMT) 
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XPath element specifications / notes 


attribute: last-closed last-closed is implied, and if present, will be the date of the most recent scan which 
caused the ticket state to be changed to Closed, in YYYY-MM- 
DDTHH:MM:SSZ format (UTC/GMT) 


attribute: last-ignored last-ignored is implied, and if present, will be the most recent date and time when 
the ticket was marked as Ignored, in YYYY-MM-DDTHH:MM:SSZ format 
(UTC/GMT) 


/REMEDIATION_TICKETS/TICKET / HISTORY 


(STATE? ADDED. ASSIGNEES? REMOVED_ASSIGNEES?,SCAN?,RULE?, COMMENT? 
) 


attribute: added added is reguired and is the token name for the ticket history event 


attribute: by by is reguired and is the Oualys user login name, identifying the user whose action 
prompted the ticket history event (such as user scan resulting in ticket 
state/status change, user ticket edit) 


/REMEDIATION. TICKETS/TICKET/HISTORY/STATE 


attribute: old-state old-state is implied, and if present, will be the old (previous) state of the ticket 


attribute: new-state new-state implied, and if present, will be the new state of the ticket 
/REMEDIATION_TICKETS/TICKET/HISTORY / ADDED_ASSIGNEES 
Qualys user login name of an assignee that was added. 
/REMEDIATION_TICKETS/ TICKET / HISTORY /REMOVED_ASSIGNEES 
Qualys user login name of an assignee that was removed. 
/REMEDIATION_TICKETS/TICKET /HISTORY /SCAN 


attribute: ref ref is required and is the scan report reference for the scan that triggered the ticket 
update event. Note: For a new ticket created by a user, a scan report reference 
is not returned. 


attribute: date date is required and is the date and time of the scan that triggered the ticket update 
event, in YYYY-MM-DDTHH:MM:SSZ format (UTC/GMT) 


/REMEDIATION. TICKETS/TICKET/HISTORY/RULE 


The name of the policy rule that triggered the automatic ticket creation. 


Tickets - Vulnerability Information 


XPath element specifications / notes 
/ REMEDIATION, TICKETS/TICKET/VULNINFO 
(TITLE,CVE*, VENDOR*) 
attribute: type type is required and is a vulnerability type flag, VULN for vulnerability and POSS 
for potential vulnerability 
attribute: qid qid is required and is the Qualys ID number assigned to the vulnerability 
attribute: severity severity is required and is the Qualys assigned severity level (from 1 to 5) 
attribute: standard-severity standard-severity is implied, and if present, will be a user-defined severity level 


(from 1 to 5) 
/REMEDIATION. TICKETS/TICKET/VULNINFO/TITLE 


The title of the vulnerability as defined for the vulnerability in the Oualys 
Vulnerability KnowledgeBase. 
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XPath element specifications / notes 
/REMEDIATION. TICKETS/TICKET/VULNINFO/CVE 


CVE (Common Vulnerabilities and Exposures) is a list of common names for 
publicly known vulnerabilities and exposures. Through open and collaborative 
discussions, the CVE Editorial Board determines which vulnerabilities or 
exposures are included in CVE. If the CVE name starts with CAN (candidate) then 
itis under consideration for entry into CVE. 


attribute: id id is required and is the CVE name(s) associated with the Qualys vulnerability 
check associated with the ticket 


/REMEDIATION_TICKETS/TICKET / VULNINFO/ VENDOR 
URI to the vendor Web site, when available 


attribute: ref ref is required and is a vendor reference name, like Microsoft, Red Hat, SUSE, Sun 
/REMEDIATION_TICKETS/TICKET/DETAILS 
(DIAGNOSIS?,CONSEOUENCE?,SOLUTION?,CORRELATION?, RESULT?) 
/REMEDIATION_TICKETS/TICKET/DETAILS/DIAGNOSIS 


A description of the threat posted by the vulnerability, from the Qualys 
KnowledgeBase. This element may be present only when get_tickets.php is 
specified with the vuln_details=1 parameter. 


/REMEDIATION. TICKETS/TICKET/DETAILS/ CONSEQUENCE 


A description of the possible impact if the vulnerability is exploited, from the 
Qualys KnowledgeBase. This element may be present only when get, tickets.php 
is specified with the vuln_details=1 parameter. 


/REMEDIATION_TICKETS/TICKET/DETAILS /SOLUTION 


A verified solution to fix the vulnerability, from the Qualys KnowledgeBase. 
When virtual patch information is correlated with a vulnerability, the virtual 
patch information from Trend Micro appears under the heading “Virtual 
Patches:”. This includes a list of virtual patches and a link to more information. 
This element may be present only when get_tickets.php is specified with the 
vuln_details=1 parameter. 


/REMEDIATION. TICKETS/TICKET/DETAILS/ CORRELATION 
(EXPLOITABILITY?, MALWARE?) 

/REMEDIATION. TICKETS/TICKET/DETAILS/ CORRELATION / 

EXPLOITABILITY (EXPLT_SRC)+ 
The <EXPLOITABILITY> element and its sub-elements appear only when there is 
exploitability information for the vulnerability from third party vendors and/or 
publicly available sources. 


/REMEDIATION. TICKETS/TICKET/DETAILS/ CORRELATION / 
EXPLOITABILITY/EXPLT SRC (SRC NAME, EXPLT LIST) 


/REMEDIATION. TICKETS/TICKET/DETAILS/ CORRELATION / 
EXPLOITABILITY/EXPLT SRC/SRC NAME (#PCDATA) 


The name of a third party vendor or publicly available source of the vulnerability 
information. 


/REMEDIATION_TICKETS/TICKET/DETAILS/CORRELATION / 
EXPLOITABILITY/EXPLT. SRC/EXPLT LIST (EXPLT)+ 


/REMEDIATION_TICKETS/TICKET/DETAILS/CORRELATION / 
EXPLOITABILITY/EXPLT. SRC/EXPLT LIST/EXPLT (REF, DESC, LINK?) 


/REMEDIATION. TICKETS/TICKET/DETAILS/ CORRELATION/ 
EXPLOITABILITY /EXPLT_SRC/EXPLT_LIST/EXPLT/REF (#PCDATA) 


The CVE reference for the exploitability information. 
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XPath element specifications / notes 


/REMEDIATION. TICKETS/TICKET/DETAILS/ CORRELATION/ 
EXPLOITABILITY /EXPLT_SRC/EXPLT_LIST/EXPLT/DESC (#PCDATA) 


The description provided by the source of the exploitability information (third 
party vendor or publicly available source). 


/REMEDIATION_TICKETS/TICKET /DETAILS/CORRELATION/ 
EXPLOITABILITY/EXPLT SRC/EXPLT LIST/EXPLT/LINK (#PCDATA) 


A link to the exploit, when available. 


/REMEDIATION_TICKETS/TICKET /DETAILS/CORRELATION/ 
MALWARE (MW_SRC)+ 


The <MALWARE> element and its sub-elements appear only when there is 
malware information for the vulnerability from Trend Micro. 


/REMEDIATION_TICKETS/TICKET/DETAILS/CORRELATION/ 
MALWARE/MW SRC (SRC NAME, MW LIST) 


/REMEDIATION_TICKETS/TICKET/DETAILS/CORRELATION/ 
MALWARE/MW SRC/SRC NAME (#PCDATA) 


The name of the source of the malware information: Trend Micro. 


/REMEDIATION. TICKETS/TICKET/DETAILS/CORRELATION/ 
MALWARE/MW_SRC/MW_LIST (MW INFO)+ 


/REMEDIATION_TICKETS/TICKET /DETAILS/CORRELATION/ 
MALWARE/MW_SRC/MW_LIST/MW_INFO 
(MW_ID, MW_TYPE?, MW_PLATFORM?, MW_ALIAS?, MW_RATING?, 
MW_LINK?) 


/REMEDIATION_TICKETS/TICKET /DETAILS/CORRELATION/ 
MALWARE/MW_SRC/MW_LIST/MW_INFO /MW_ID - (#PCDATA) 


The malware name/ID assigned by Trend Micro. 


/REMEDIATION. TICKETS/TICKET/DETAILS/CORRELATION/ 
MALWARE/MW. SRC/MW. LIST/MW INFO /MW TYPE (#PCDATA) 


The type of malware, such as Backdoor, Virus, Worm or Trojan. 


/REMEDIATION. TICKETS/TICKET/DETAILS/CORRELATION/ 
MALWARE/MW. SRC/MW LIST/MW INFO /MW. PLATFORM  (#PCDATA) 


A list of the platforms that may be affected by the malware. 


/REMEDIATION. TICKETS/TICKET/DETAILS/CORRELATION/ 
MALWARE/MW. SRC/MW LIST/MW INFO /MW. ALIAS (#PCDATA) 


A list of other names used by different vendors and/or publicly available sources 
to refer to the same threat. 


/REMEDIATION. TICKETS/TICKET/DETAILS/CORRELATION/ 
MALWARE/MW. SRC/MW. LIST/MW INFO /MW RATING (4PCDATA) 


The overall risk rating as determined by Trend Micro: Low, Medium or High. 


/REMEDIATION_TICKETS/TICKET/DETAILS/CORRELATION/ 
MALWARE/MW_SRC/MW_LIST/MW_INFO /MW LINK (#PCDATA) 


A link to malware details. 
/REMEDIATION. TICKETS/TICKET/DETAILS/RESULT 


Specific scan test results for the vulnerability, from the host assessment data. This 
element may be present only when get. tickets.php is specified with the 
vuln, details=1 parameter. 


attribute: format format is implied and if present, will be the result format 
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Ignore Vulnerability Output 


API used 
<platform API server>/api/2.0/fo/ignore_vuln/index.php 


DTD for Ignore Vulnerability Output 
<platform API server>/api/2.0/dtd/ignore_vuln_output.dtd 


A recent DTD is below. 


T 


<!ELEMENT IGNORE VULN OUTPUT (REQUEST?, RESPONSE) > 


<!-- "name" is the name of API --> 

<!-- "at" attribute is the current platform date and time --> 

<!ELEMENT REQUEST (#PCDATA) > 

<!ATTLIST REQUEST 
name CDATA #REQUIRED 
username CDATA #REQUIRED 

t CDATA #REQUIRED> 


w 


<!-- the PCDATA contains an explanation of the status --> 
<!ELEMENT RESPONSE (MESSAGE, IGNORED LIST?, RESTORED LIST?)> 
<!ATTLIST RESPONSE 
status (FAILED|SUCCESS|WARNING) #REQUIRED 
number CDATA #IMPLIED> 

<!ELEMENT MESSAGE (#PCDATA) *> 


<!ELEMENT IGNORED LIST (IGNORED+) > 
<!ELEMENT IGNORED (TICKET NUMBER, QID, IP, DNS?, NETBIOS?)> 
<!ELEMENT TICKET NUMBER (#PCDATA) > 

<!ELEMENT QID (#PCDATA) > 

<!ELEMENT IP (#PCDATA) > 

<!ELEMENT DNS (#PCDATA) *> 

<!ELEMENT NETBIOS (#PCDATA) *> 


<!ATTLIST IP network id CDATA #IMPLII 


El 


D> 


<!ELEMENT RESTORED_LIST (RESTORED+) > 
<!ELEMENT RESTORED (TICKET NUMBER, QID, IP, DNS?, NETBIOS?)> 


313 


Gualys API (VM, PC) XML/DTD Reference 
Chapter 8 - VM Remediation Tickets XML 


XPaths for Ignore Vulnerability Output 


This section describes the XPaths for the ignore vulnerability output 
(ignore. vuln, output.dtd). 


XPath element specifications / notes 
/IGNORE VULN. OUTPUT (API, RETURN) 


/IGNORE VULN. OUTPUT/AP (#PCDATA) 
I 


attribute: name name is required and is the API function name. 
attribute: username username is required and is the user login of the API user. 
attribute: at at is required and is the date/time when the function was run in 


YYYY-MM-DDTHH:MM:SSZ format (UTC/GMT). 
/IGNORE_VULN_OUTPUT/RETURN (MESSAGE, IGNORED LIST?, RESTORED_LIST?) 
attribute: status status is required and is a status code, either SUCCESS, FAILED, or WARNING. 


attribute: number number is implied and, if present, is an error code. 


/IGNORE VULN OUTPUT/RETURN/MESSAGE  (#PCDATA) 


descriptive message that corresponds to the status code. 


A 
/IGNORE VULN OUTPUT/RETURN/IGNORED LIST  (IGNORED+) 


/IGNORE_VULN_OUTPUT/RETURN/IGNORED_LIST/IGNORED (TICKET_NUMBER, QID, IP, DNS?, 
NETBIOS?) 


/IGNORE_VULN_OUTPUT/RETURN/RESTORED_LIST (RESTORED+) 


/IGNORE_VULN_OUTPUT/RETURN/RESTORED_LIST/RESTORED (TICKET NUMBER, QID, IP, DNS?, 
NETBIOS?) 
/IGNORE_VULN_OUTPUT/RETURN/{LIST}/{VULN}/TICKET_NUMBER (#PCDATA) 


The ticket number related to a vulnerability that was ignored or restored. {LIST} 
stands for an ignored or restored list. (VULN) stands for an ignored or restored 
vulnerability. 

/IGNORE_VULN_OUTPUT/RETURN/{LIST}/{VULN}/QID (#PCDATA) 


The QID related to a vulnerability that was ignored or restored. {LIST} stands for 
an ignored or restored list. (VULN) stands for an ignored or restored 
vulnerability. 


/IGNORE_VULN_OUTPUT/RETURN/{LIST}/{VULN}/IP (#PCDATA) 


The IP address related to a vulnerability that was ignored or restored. {LIST} 
stands for an ignored or restored list. (VULN) stands for an ignored or restored 
vulnerability. 


/IGNORE_VULN_OUTPUT/RETURN/{LIST}/{VULN}/DNS (#PCDATA) 


The DNS host name related to a vulnerability that was ignored or restored. {LIST} 
stands for an ignored or restored list. (VULN) stands for an ignored or restored 
vulnerability. 


/IGNORE_VULN_OUTPUT/RETURN/{LIST}/{VULN}/NETBIOS (#PCDATA) 


The NetBIOS host name related to a vulnerability that was ignored or restored. 
{LIST} stands for an ignored or restored list. {VULN} stands for an ignored or 
restored vulnerability. 
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Chapter 9 - Compliance XML 


This section describes the XML output returned from Policy Compliance API reguests. 
Compliance Control List Output 

Compliance Policy List Output 

Compliance Policy Export Output 

Compliance Posture Info List Output 

Compliance Policy Report 

Compliance Authentication Report 

Compliance Scorecard Report 


Exception List Output 


Exception Batch Return Output 


SCAP Policy List Output 


Compliance Control List Output 


API used 


<platform API server>/api/2.0/fo/compliance/control/?action=list 


DTD for Compliance Control List Output 
<platform API server>/api/2.0/fo/compliance/control/control_list_output.dtd 


A recent DTD is shown below. 


<!-- QUALYS CONTROL LIST OUTPUT DTD --> 

<!-- SRevision$ --> 

<!ELEMENT CONTROL LIST OUTPUT (REQUEST?, RESPONSE) > 

<!ELEMENT REQUEST (DATETIME, USER_LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 

<!ELEMENT DATETIME (#PCDATA) > 


<!ELEMENT USER LOGIN (#PCDATA) > 


<!ELEMENT RESOURCE (#PCDATA) > 

<!EL NT PARAM LIST (PARAM+) > 

<!ELEMENT PARA (KEY, VALUE) > 

<!EL NT KEY (#PCDATA) > 

<!ELE NT VALUE (#PCDATA) > 

<!-- if returned, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 


<!ELEMENT RESPONSE (DATETIME, (CONTROL LIST|ID_ SET) ?, WARNING?) > 
<!ELEMENT CONTROL LIST (CONTROL+) > 
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ENT 


e 


IGNORE 


SCAN PARAMETE 


ENT 


TNT 


, CR 


ENT CONTROL (I 


ITICALI 


HECK 


_TYPE?, 
ERROR?, (IGNO 
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D, UPDATE DATE, CREATED DATE, CATEGORY, SUB CATEGORY, 


T 


TY?, DEPRECATED?, DEPRECATED DATE?, 


COMMENT?, USE AGENT ONLY?, AUTO UPDATE?, 


RE ITEM NOT FOUND|ERROR SET STATUS) ?, 


ID 


RS?, TE 
(#PCDAT 


CHNOLOGY LIST, FRAMEWORK LIST?) > 
A)> 


ENT 


ENT 


Y (LABEL, VALUE) > 


(GFPCDATA) > 


DATE (#PCDATA) > 


(# PCDATA) > 


2 a E E A AA Aa AA VA AA 


ETERS (PATH TYPE?, REG HIVE?, REG KEY?, 


MLIN 


SKIP 


E PATH?, FILE QUERY?, HASH TYPE?, WMI NS?, 


IMIT?, 


OULD DE 


ER?, GROUP NAME?, GROUP NAME 


K?, FIL 
2, WIN 


FILE SYS OBJECT TYPES?, 


LL KNOWN USERS FOR ANY DOMAIN?, WIN PERMISSION USERS? 


N MATCH 


2, WIN PERMISSIONS?, PER ISSIONS?, PERI 


e 


USER OWNER?, GROUP OWNER?, SCRIPT ID?, SCRIPT NAM 


SCEND?, DEPTH LIMIT?, INTEGRITY CHECK DEPTH LIMIT?, 
E NAME MATCH?, FILE NAME SKIP?, DIR NAME 


MATCH?, 


ND?, 


2 
eE 


HO. 


,IMIT?, MATCH LIMIT?, INTEGRITY CHECK 1 


r 
CHECK V2 TIME LIMIT?, FILE CONTENT CHECK V2 MAT 


E LIMIT?, 


re 


H LIMIT?, 


E C 


ASE 


VE_SEARCH?, EXCLUDE USER OWNER?, EXCLUDE 


PTI 


ENT 


HASH?, 


ON) > 
PAT 


H_TYPE 


ENT 


REG 


ENT 


REG 


KEY (4 


H_LIMIT?, INTEGRITY CHECK OBJECT TYPES?, 


SION MONITOR?, DATA TYPE, EVALUATE AS S 


(#PCDATA) > 


ENT 


REG 


ENT 


ENT 


NAME (#PCDATA) > 
(#PCDATA) > 
(t PCDATA) > 
(#PCDATA) > 
CDATA) > 
(#PCDATA) > 


RE USER (#PCDATA) > 


(#PCDATA) > 
(# PCDATA) > 
LIMIT (#PCDATA) > 


ENT 


#PCDATA) > 
T (#PCDATA) > 
CHECK DEPTH LIMIT (#PCDATA) > 


_MATCH (#PCDATA) > 
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<!ELEMENT FILE NAME SKIP (#PCDATA) > 

<!ELEMENT DIR NAME MATCH (#PCDATA) > 

<!ELEMENT DIR NAME SKIP (#PCDATA)> 

<!ELEMENT TIME LIMIT (#PCDATA) > 

<!ELEMENT MATCH LIMIT (#PCDATA) > 

<!ELEMENT WIN FILE SYS OBJECT TYPES (#PCDATA) > 
<!ELEMENT MATCH WELL KNOWN USERS FOR ANY DOMAIN (#PCDATA) > 
<!ELEMENT WIN PERMISSION USERS (#PCDATA) > 

<!ELEMENT WIN PERMISSION MATCH (#PCDATA) > 

<!ELEMENT SHOULD DESCEND (#PCDATA) > 

<!ELEMENT FOLLOW SYMLINK (#PCDATA) > 

<!ELEMENT PERMISSIONS (SPECIAL, USER, GROUP, OTHER) > 
<!ELEMENT PERM COND (#PCDATA) > 

<!ELEMENT TYPE MATCH (#PCDATA) > 

<!ELEMENT USER OWNER (#PCDATA) > 

<!ELEMENT GROUP OWNER (#PCDATA) > 

<!ELEMENT DB QUERY (#PCDATA) > 

<!ELEMENT SCRIPT ID (#PCDATA) > 

<!ELEMENT SCRIPT NAME (#PCDATA) > 

<!ELEMENT OUTPUT FILTER (#PCDATA) > 

<!ELEMENT WIN PERMISSIONS (WIN BASIC PERMISSIONS?, 
WIN ADVANCED PERMISSIONS?) > 

<!ELEMENT WIN BASIC PERMISSIONS (WIN BASIC PERMISSION TYPE+) > 
<!ELEMENT WIN ADVANCED PERMISSIONS (WIN ADVANCED PERMISSION TYPE+) > 
<!ELEMENT WIN BASIC PERMISSION TYPE (#PCDATA) > 
<!ELEMENT WIN ADVANCED PERMISSION TYPE (#PCDATA) > 
<!ELEMENT SPECIAL (USER, GROUP, DELETION) > 

<!ELEMENT USER (#PCDATA|READ|WRITE|EXECUTE) *> 
<!ELEMENT GROUP (#PCDATA|READ|WRITE|EXECUTE) *> 
<!ELEMENT OTHER (READ, WRITE, EXECUTE) > 

<!ELEMENT DELETION (#PCDATA) > 

<!ELEMENT READ (#PCDATA) > 

<!ELEMENT WRITE (#PCDATA) > 

<!ELEMENT EXECUTE (#PCDATA) > 

<!ELEMENT INTEGRITY CHECK TIME LIMIT (#PCDATA) > 
<!ELEMENT FILE CONTENT CHECK V2 TIME LIMIT (#PCDATA) > 
<!ELEMENT FILE CONTENT CHECK V2 MATCH LIMIT (#PCDATA) > 
<!ELEMENT INTEGRITY CHECK MATCH LIMIT (#PCDATA) > 
<!ELEMENT INTEGRITY CHECK OBJECT TYPES (#PCDATA) > 
<!ELEMENT DIGEST HASH (#PCDATA) > 

<!ELEMENT PERMISSION MONITOR (#PCDATA) > 

<!ELEMENT DISABLE CASE SENSITIVE SEARCH (#PCDATA) > 
<!ELEMENT EXCLUDE USER OWNER (#PCDATA) > 

<!ELEMENT EXCLUDE GROUP OWNER (#PCDATA) > 

<!ELEMENT DATA TYPE (#PCDATA) > 

<!ELEMENT EVALUATE AS STRING (#PCDATA) > 

<!ELEMENT DESCRIPTION (#PCDATA) > 

<!ELEMENT TECHNOLOGY LIST (TECHNOLOGY+) > 

<!ELEMENT TECHNOLOGY (ID, NAME, RATIONALE, DATAPOINT?, USE SCAN VALUE? 
DB OUERY?, DESCRIPTION?) > 
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<!ELEMENT NAME (#PCDATA) > 

T RATIONALE (4PCDATA) > 

T DATAPOINT (CARDINALITY, OPERATOR, DEFAULT VALUES) > 
T USE SCAN VALUE (#PCDATA) > 

RDINALITY (#PCDATA) > 
PERATOR (#PCDATA) > 
EFAULT VALUES (DEFAULT VALUE+) > 
EFAULT VALUES total CDATA "0"> 
EFAULT VALUE (#PCDATA) > 


A 

NE 424242224 
Q 
D 


Y 
> 
= 
O 
3 
PS 
Ei 
un 
E 
Fl 
= 
O 
3 
= 
v 


E LIST) > 


EFERENCE (SECTION, COMMENTS) > 
ECTION (#PCDATA) > 
OMMENTS (#PCDATA) > 


A 
SSR AaaaeEES 
D 
E 
= 
O 
po 
nN 
E 
iw) 
A 
D 
o) 
Hy 
yo) 
Q 


<!ELEMENT WARNING (CODE 
<!ELEMENT CODE (#PCDAT 
<!ELEMENT TEXT (#PCDAT 
<!ELEMENT URL (#PCDATA) 
<!-- EOF --> 


XPaths for Control List Output 


Control List Output: Request 


XPath element specifications / notes 
(CONTROL LIST OUTPUT (REQUEST?, RESPONSE) 
(CONTROL LIST OUTPUT/REOUEST 


(DATETIME, USER. LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 
(CONTROL LIST OUTPUT/REOUEST/DATETIME — (*PCDATA) 


The date and time of the request. 
/CONTROL_LIST_OUTPUT/REQUEST/USER_LOGIN (#PCDATA) 


he user login ID of the user who made the request. 
/CONTROL_LIST_OUTPUT/REQUEST/RESOURCE (#PCDATA) 


The resource specified for the request. 


/CONTROL_LIST_OUTPUT/REQUEST/PARAM_LIST (PARAM+) 


/CONTROL_LIST_OUTPUT/REQUEST/PARAM_LIST/PARAM (KEY, VALUE) 


/CONTROL_LIST_OUTPUT/REQUEST/PARAM_LIST/PARAM/KEY  (#PCDATA) 


Wn 


An input parameter name. 
/CONTROL_LIST_OUTPUT/REQUEST/PARAM_LIST/PARAM/VALUE (#PCDATA) 


An input parameter value. 
/CONTROL_LIST_OUTPUT/REQUEST/POST_DATA  (#PCDATA) 
The POST data, if any. 
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Control List Output: Response 


XPath element specifications / notes 
(CONTROL LIST OUTPUT (REQUEST?, RESPONSE) 


/CONTROL LIST. OUTPUT/RESPONSE 
(DATETIME, CONTROL LISTJID. SET?, WARNING?) 
(CONTROL LIST OUTPUT/RESPONSE/DATETIME (#PCDATA) 


The date and time of the response. 


/CONTROL LIST. OUTPUT/RESPONSE/CONTROL LIS (CONTROL +) 
(CONTROL LIST OUTPUT/RESPONSE/CONTROL LIST/CONTROL 
D, UPDATE DATE, CREATED. DATE, CATEGORY, SUB. CATEGORY, 


STATEMENT, CRITICALITY?, DEPRECATED?, DEPRECATED DATE?, 
CHECK. TYPE?, COMMENT?, USE AGENT. ONLY?, AUTO UPDATE?, 
GNORE ERROR?, ([GNORE ITEM NOT. FOUNDJERROR. SET STATUS)?, , 
SCAN_PARAMETERS?, TECHNOLOGY LIST, FRAMEWORK LIST?) 


(CONTROL LIST OUTPUT/RESPONSE/CONTROL LIST/CONTROL/ID (#PCDATA) 
A compliance control ID. 


(CONTROL LIST. OUTPUT/RESPONSE/CONTROL LIST/CONTROL/UPDATE. DATE 
(#PCDATA) 


The date and time when the control was last updated. 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/CREATED_DATE 
(#PCDATA) 


The date and time when the control was created. 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/CATEGORY (#PCDATA) 
A category for a compliance control. 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SUB-CATEGORY 
#PCDATA) 
A sub-category for a compliance control. 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/STATEMENT (#PCDATA) 
A statement for a compliance control. 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/CRITICALITY 
LABEL, VALUE) 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/CRITICALITY/LABEL 


Wn 


(#PCDATA) 
A criticality label (e.g. SERIOUS, CRITICAL, URGENT) assigned to the 
control. 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/CRITICALITY/VALUE 
(*PCDATA) 


A criticality value (0-5) assigned to the control. 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/DEPRECATED (#PCDATA) 


The value 1 identifies a deprecated control. This element appears only for a 
deprecated control. 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/DEPRECATED_DATE (#PCDATA) 


For a deprecated control, the date the control was deprecated. This element 
appears only for a deprecated control. 


Wn 
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XPath element specifications / notes 

(CONTROL LIST OUTPUT/RESPONSE/CONTROL LIST/CONTROL/CHECK TYPE (#PCDATA) 

The check type: Registry Key Existence, Registry Value Existence, Registry 
Value Content Check, Registry Permission, etc 

(CONTROL LIST OUTPUT/RESPONSE/CONTROL LIST/CONTROL/COMMENT - (*PCDATA) 

User defined comments. 

(CONTROL LIST OUTPUT/RESPONSE/CONTROL LIST/CONTROL/USE. AGENT. ONLY (#PCDATA) 


Set to 1 when the “Use agent scan only” option is enabled for the control. 
When enabled the control is evaluated using scan data collected from a 


cloud agent scan only. 
(CONTROL LIST OUTPUT/RESPONSE/CONTROL LIST/CONTROL/AUTO UPDATE (#PCDATA) 

Set to 1 when the “Auto Update expected value” option is enabled for the 

control. When enabled the control’s expected value for posture evaluation 

is replaced with the actual value collected from the cloud agent scan. 
(CONTROL LIST OUTPUT/RESPONSE/CONTROL LIST/CONTROL/IGNORE ERROR — (4PCDATA) 


Set to 1 when the ignore error option is enabled for the control. When 
enabled, the service marks control instances as Passed in cases where an 


error occurs during control evaluation. 
(CONTROL LIST OUTPUT/RESPONSE/CONTROL LIST/CONTROL/(IGNORE ITEM NOT FOUNDJERROR SET S 
TATUS)? (#PCDATA) 


Set to 1 when the ignore item not found option is enabled for the control. 
When enabled the service will show a status of Passed or Failed in cases 
where a control returns error code 2 “item not found” (e.g. scan did not find 
file, registry, or related data, as appropriate for the control type), depending 
on the status you prefer (defined in the policy). 


(CONTROL LIST OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS 
(PATH. TYPE?, REG HIVE?, REG KEY?, REG VALUE NAME?, FILE PATH?, 
FILE OUERY?, HASH TYPE?, WMI NS?, WMI OUERY?, SHARE USER?, 
PATH USER?, GROUP NAME?, GROUP NAME LIMIT?, BASE DIR?, 
SHOULD. DESCEND?, DEPTH LIMIT?, INTEGRITY CHECK DEPTH LIMIT?, 
FOLLOW. SYMLINK?, FILE NAME MATCR?, FILE. NAME SKIP?, 
DIR. NAME MATCRH?, DIR NAME SKIP?, WIN FILE SYS OBJECT. TYPES?, 

MATCH. WELL KNOWN USERS FOR ANY DOMAIN?, 

WIN. PERMISSION USERS?, WIN. PERMISSION. MATCH?, 

WIN. PERMISSIONS?, PERMISSIONS?, PERM COND?, TYPE MATCH?, 

USER OWNER?,GROUP OWNER?, SCRIPT ID?, SCRIPT NAME?, 

OUTPUT. FILTER?, TIME. LIMIT?, MATCH LIMIT?, 

NTEGRITY CHECK TIME LIMIT?, 

FILE CONTENT. CHECK V2 TIME LIMIT?, 

FILE CONTENT. CHECK V2 MATCH LIMIT?, 

NTEGRITY. CHECK MATCH LIMIT?, INTEGRITY CHECK OBJECT. TYPES?, 

DISABLE CASE. SENSITIVE. SEARCH?,EXCLUDE USER OWNER?, 

EXCLUDE GROUP OWNER?, DIGEST. HASH?, PERMISSION. MONITOR?, 

DATA TYPE, EVALUATE AS STRING?, DESCRIPTION) 


(CONTROL LIST OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/PATH. TYPE 


(#PCDATA) 
Specify file location using the path types: Registry Key, File Search, File 
Path. 
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XPath element specifications / notes 
(CONTROL LIST OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/REG. HIVE 
(#PCDATA) 

A Windows registry hive: HKEY_CLASSES_ROOT (HKCR) | 

KEY. CURRENT. USER (HKCU) | HKEY_LOCAL_MACHINE (HKLM) | 
KEY_USERS (HKU). 

/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/REG_KEY 
(#PCDATA 

A Windows registry key. 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/REG_VALUE_NAME 
(#PCDATA 

A value for a Windows registry key. 
(CONTROL LIST OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/FILE. PATH 
(#PCDATA 

A pathname to a file or directory. 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/FILE_QUERY 
(#PCDATA 

A query for a file content check. 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/HASH_TYPE 
(#PCDATA 

An algorithm to be used for computing a file hash: MDS | SHA-1 | SHA-256. 
/CONTROL LIST. OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN, PARAMETERS/WML NS  (*PCDATA) 

A WMI namespace for a WMI guery check. 
(CONTROL LIST. OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/ WMI_QUERY 
(#PCDATA 

A WMI query for a WMI query check. 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/SHARE_USER 
(#PCDATA 

A user name who can access a share for a share access check. 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/PATH_USER 
(#PCDATA 

A user name who can access a directory for a share access check. 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/GROUP_NAME 
(#PCDATA 

Windows local group name to get a list of members for. 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/GROUP_NAME_LIMIT 
(#PCDATA 

The maximum number of results (1 to 1000) to be returned for Windows 

group name 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/BASE_DIR 
(#PCDATA 

For directory search, the base directory to start search from. 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/SHOULD_DESCEND 
(#PCDATA 

For directory search, set to “true” when search extends into other file 

systems found; otherwise set to “false”. 
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element specifications / notes 


(CONTROL LIST OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/DEPTH. LIMIT 


(#PCDATA) 


For directory search, depth level for searching each directory: only directory 


properties (0), direc 
directory (2-10). 


tory contents (1) or multiple levels below the base 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/INTEGRITY_CHECK_D 


EPTH LIMIT  (#PCDATA) 


For directory integri 
searching the direc 
or multi 


ty content check (Unix or Windows), depth level for 
tory. Only directory properties (0), directory contents (1) 
ple levels below the directory (2-10). 


(CONTROL LIST OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/FOLLOW. SYMLINK 


(#PCDATA\ 


directori 


For directory search, set to “true” when target destination files and 
es will be analyzed; otherwise set to “false”. 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/FILE_NAME_MATCH 


(#PCDATA\ 


For directory search 
expressi 


„afi 
on or a Unix globb 


name to match, i.e. a Windows wildcard 
ing (wildcard) expression. 


e 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/FILE_NAME_SKIP 


(#PCDATA 
For directory search 


,afi 
or a Unix globbing (wildca 


ename to skip, i.e. a Windows wildcard expression 
d) expression. 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL _ 
(#PCDATA\ 


For directory search 
expression or a 


LIST/CONTROL/SCAN. PARAMET 


vadi 


Unix globbing (wildcard) expressi 


ERS/DIR NAME. MATCH 


i.e. a Windows wildcard 
on. 


rectory name to match, 


/CONTRO 
(#PCDATA 


L_LIST_OUTPUT/RESPONSE/CONTROL_ 


expression or a 


LIST/CONTROL/SCAN. PARAMET 


For directory search, a di 
i Unix globbing (wildcard) expressi 


ERS/DIR NAME SKIP 


-a Windows wildcard 
on. 


rectory name to skip, i.e 


/CONTRO 
T. TYPES 


L, LIST OUTPUT/RESPONSE/CONTROL 
(#PCDATA) 


For Windows directory search, types of system o 
DIRECTORY, FILE or DIRECTORY FILE 


LIST/CONTROL/SCAN_PARAMET 


ERS/WIN_FILE_SYS_OBJEC 


bjects to search: 


i.e. both directory and file). 


/CONTROL LIST OUTPUT/RESPONSE/CONTROL 
N USERS FOR ANY DOMAIN -— (#PCDATA) 


For Windows directory search, when 
the users setin <WIN. PERMISSION. 
iases. Click here 
well-known users and groups. 


users, groups anda 


LIST/CONT 


ROL/SCAN_PARAMETERS/MATCH_WELL_KNOW 


” 


set to “Yes” we'll perform a look up of 
USERS> and match against well-known 
to find abbreviated SDDL names for 


/CONTROL_LIS 
ERS  (*PCDATA) 


permissions to the 


_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAM 


ETERS/WIN_PERMISSION_US 


For Windows directory search, comma separated list of principals with 
files/directories to match. 


/CONTROL_LIS 
ATCH  (*PCDATA) 


_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/WIN_PERMISSION_M 


For Windows directory search, match “Any” (1.e. at least one of the 
permissions set or “All” (i.e. files that match all of the permissions set) in 
WIN_BASIC_PERMISSIONS. 
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XPath element specifications / notes 


/CONTROL LIST. OUTPUT/RESPONSE/CONTROL. LIST/CONTROL/SCAN. PARAMETERS/WIN. PERMISSIONS 
(WIN. BASIC. PERMISSIONS?, WIN. ADVANCED. PERMISSIONS?) 


(CONTROL LIST. OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN,. PARAMETERS/WIN. PERMISSIONS/ 
WIN BASIC PERMISSIONS (WIN BASIC PERMISSIONS. TYPE+;) 


/CONTROL LIST. OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/WIN. PERMISSIONS/ 
WIN BASIC PERMISSIONS /WIN BASIC PERMISSIONS TYPE (#PCDATA) 


For Windows directory search, match basic permission: Full Control | 
Modify | List Folder | Content | Read & Execute | Write | Read 


/CONTROL LIST. OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/WIN. PERMISSIONS/ 
WIN. ADVANCED PERMISSIONS (WIN ADVANCED PERMISSIONS. TYPE +) 


/CONTROL LIST. OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/WIN. PERMISSIONS/ 
WIN BASIC PERMISSIONS (WIN BASIC PERMISSIONS. TYPE+;) 


For Windows directory search, match advanced permission: Full Control | 
Traverse Folder |Execute Files | List Folder/Read Data | Read Attributes | 
Read Extended Attributes | Create Files/Write Data | Create Folders/Append 
Data | Write Attributes | Write Extended Attributes | Delete Sub-folders & 
Files | Delete | Read Permissions | Change Permissions | Take Ownership 


(CONTROL LIST. OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/PERMISSIONS 
(SPECIAL, USER, GROUP, OTHER) 


(CONTROL, LIST. OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/PERMISSIONS/SPECIA 


T 


/CONTROL LIST. OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/PERMISSIONS/USER 
EJEXECUTE) 

For Unix directory search, match files with these user permissions. 
UT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/PERMISSIONS /GROUP 


DS 
ay 
O 
y 
O 
n 
C 
n 
O 
x 

7] U 


For Unix directory search, match files with these group permissions. 
UT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/PERMISSIONS/OTHER 


pre 
O 
O 
Z 
y 
O 
5 
C 
n 
O 
£ 
7] U 


For Unix directory search, match files with these other permissions. 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/PERM_COND 


For Unix directory search, match “all” permissions or “some” permissions 
set in PERMISSIONS, or “exclude” (i.e. ignore files with certain permissions). 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/TYPE_MATCH 
(4PCDATA 


For Unix directory search, match system objects specified as string of 
comma separated codes: d (directory), f (regular file), 1 (symbolic link), 
p (named pipe, FIFO), b (block special - buffered), c (character special - 
unbuffered), s (socket), D (door, Solaris only). Sample string: d,f,l 


(CONTROL LIST. OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/USER. OWNER 
(#PCDATA) 


For Unix Directory Search and Unix Directory Integrity controls, match files 
owned by certain users specified as comma separated list of user names 
and/or UUIDs. 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/GROUP_OWNER 
(#PCDATA) 
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XPath element specifications / notes 


For Unix Directory Search and Unix Directory Integrity controls, match files 
owned by certain groups specified as comma separated list of group names 
and/or GUIDs. 


(CONTROL LIST OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/SCRIPT. ID 


(CONTROL LIST. OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/SCRIPT. NAME 


TROL LIST. OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/OUTPUT. FILTER 


For future use. 
(CONTROL LIST. OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/TIME. LIMIT 


For a Unix directory search, the search time limit in seconds. 
(CONTROL LIST. OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/MATCEH LIMIT 


For a Unix directory search, the maximum number of objects matched. 


/CONTROL LIST. OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/INTEGRITY. CHECK. T 
IME LIMIT (#PCDATA) 


For integrity content check of directory/file (Unix or Windows), the integrity 
check time limit. 


(CONTROL. LIST. OUTPUT/RESPONSE/CONTROL. LIST/CONTROL/SCAN. PARAMETERS/FILE. CONTENT. CHEC 
K V2 TIME LIMIT (#PCDATA) 


The search time limit specified for a Unix File Content Check V2 control. 


(CONTROL, LIST. OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/FILE. CONTENT. CHEC 
K V2 MATCH LIMIT  (#PCDATA) 


[he search match limit specified for a Unix File Content Check V2 control. 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/INTEGRITY_CHECK_ 
MATCH LIMIT - (4PCDATA) 


For integrity content check of directory/file (Unix or Windows), the integrity 
check match limit. 


/CONTROL LIST. OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/DISABLE CASE SENSI 
TIVE SEARCH (#PCDATA) 


Disable the case-sensitive search in Unix agent UDCs (Directory Search and 
Directory Integrity). 

/CONTROL LIST. OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/EXCLUDE USER OWN 
ER (*PCDATA) 


Supported only by Cloud Agent) For Unix Directory Search and Unix 

Directory Integrity controls, this is a flag (true or false) indicating whether 
to exclude the files owned by certain users specified as comma separated 
ist of user names and/or UUIDS. 


[CONTROL LIST. OUTPUT/RESPONSE/CONTROL, LIST/CONTROL/SCAN. PARAMETERS/EXCLUDE. GROUP O 
WNER — (*PCDATA) 


Supported only by Cloud Agent) For Unix Directory Search and Unix 
Directory Integrity controls, this is a flag (true or false) indicating whether 
to exclude the files owned by certain groups specified as comma separated 
ist of group names and/or GUIDs. 
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XPath element specifications / notes 


/CONTROL LIST. OUTPUT/RESPONSE/CONTROL LIST/CONTROL/SCAN. PARAMETERS/DIGEST. HASH 
(#PCDATA\ 


For integrity content check of directory/file (Unix or Windows), the digest 
hash. 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/DATA_TYPE 
(#PCDATA\ 


A scan parameter that identifies a valid data type for the actual value 
provided by the service: Boolean | Integer | String | String List | Line List 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/EVALUATE_AS_STRIN 
G (#PCDATA) 


A scan parameter that identifies if the Evaluate as string option is enabled 
for Unix File Content Check UDC. 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/SCAN_PARAMETERS/DESCRIPTION 


A description of the check’s scan parameters. 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/TECHNOLOGY_LIST 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/TECHNOLOGY_LIST/TECHNOLOGY 
(ID, NAME, RATIONALE, DATAPOINT?, USE SCAN VALUE?, DB OUERY?, DESCRIPTION?)> 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/TECHNOLOGY_LIST/TECHNOLOGY/ID 


A technology ID for a technology in a control. 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/TECHNOLOGY_LIST/TECHNOLOGY/NAME 


A technology name for a technology in a control. 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/TECHNOLOGY_LIST/TECHNOLOGY/RATIO 


The rationale description for a technology in a control. 


UT/RESPONSE/CONTROL_LIST/CONTROL/TECHNOLOGY_LIST/TECHNOLOGY/DATAP 
OINT (CARDINALITY, OPERATOR, DEFAULT_VALUES) 
U 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/TECHNOLOGY_LIST/TECHNOLOGY/DATAP 
OINT/CARDINALITY (#PCDATA 


A cardinality used to calculate the expected value for a technology based 
on DATA_TYPE. String List: contains | does not contain | matches | is 
contained in | intersect. Line List: match any | match all | match none | 
empty | not empty. Boolean or Integer: no cd. 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/TECHNOLOGY_LIST/TECHNOLOGY/DATAP 
OINT/OPERATOR  (#PCDATA) 


Aname of an operator used to calculate the expected value for a 

technology: ge (greater than or equal to) | gt (greater than)| le (less than or 
equal to)| lt (less than)| ne (not equal to)| eq (equal to)| in | range (in range)| 
re (regular expression)| xre (reguolar expression list)| xeq (string list)| no op 
(no operator). 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/TECHNOLOGY_LIST/TECHNOLOGY/DATAP 
OINT/DEFAULT VALUES (DEFAULT_VALUE+) 


total is the total number of default values 


/CONTROL LIST. OUTPUT/RESPONSE/CONTROL. LIST/CONTROL/TECHNOLOGY LIST/TECHNOLOGY/DATAP 
OINT/DEFAULT VALUES/DEFAULT VALUE  (#PCDATA) 
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XPath element specifications / notes 
A default value for each technology this is used to calculate the expected 
value for a technology, specified as a regular expression or a string 
depending on the check type. 


/CONTROL LIST. OUTPUT/RESPONSE/CONTROL. LIST/CONTROL/TECHNOLOGY. LIST/TECHNOLOGY/USE. S 
CAN VALUE (#PCDATA) 


Indicates whether the “Use scan data as expected value” option is enabled 
for the technology in a File Integrity check. A value of “1” means it is 
enabled. A value of “O” means it’s not enabled. 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/TECHNOLOGY_LIST/TECHNOLOGY/DB_QU 
ERY (#PCDATA) 


SQL query defined by the user to be executed on the database for database 
udc. 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/TECHNOLOGY_LIST/TECHNOLOGY/DESCR 
IPTION (#PCDATA) 


Description of the SQL query defined by the user to be executed on the 
database for database udc. 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/FRAMEWORK_LIST 
(FRAMEWORK+) 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/FRAMEWORK_LIST/FRAMEWORK 
Sir 


/RESPONSE/CONTROL_LIST/CONTROL/FRAMEWORK_LIST/FRAMEWORK/ID 


5 
7 
> 
zZ 
M 
Do) 
fH 
mi 
m 
po] 
fH 
Z 
OO 
m 
bal 


ja 
(2) 
O 
y 
O 
A 
C 
(77) 
( 
Ù 
E 


A framework ID for a framework reference in a control. 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/FRAMEWORK_LIST/FRAMEWORK/NAME 


EH 


A framework name for a framework reference in a control. 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/FRAMEWORK_LIST/FRAMEWORK/REFEREN 
E E 


/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/FRAMEWORK_LIST/FRAMEWORK/REFEREN 
CE_LIST/REFERENCE (SECTION, COMMENTS) 
/CONTROL_LIST_OUTPUT/RESPONSE/CONTROL_LIST/CONTROL/FRAMEWORK_LIST/FRAMEWORK/REFEREN 
CE LIST/REFERENCE/SECTION (#PCDATA 


A framework section for a framework reference in a control. 
(CONTROL LIST 0 PUT/RESPONSE/CONTROL_LIST/CONTROL/FRAMEWORK_LIST/FRAMEWORK/REFEREN 


CESE ST/REFERENCE/COMMENTS (#PCDATA) 


A framework description (comments) for a framework reference in a 
control. 


(CONTROL LIST OUTPUT/RESPONSE/ID SET  (ID|ID_RANGE)+ 
(CONTROL LIST OUTPUT/RESPONSE/ID SET/ID | (#PCDATA) 

A compliance control ID. 
(CONTROL LIST OUTPUT/RESPONSE/ID. SET/ID RANGE  (#PCDATA) 


A range of compliance control IDs. 
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element specifications / notes 


XPath 

(CONTROL LIST OUTPUT/RESPONSE/WARNING (CODE, TEXT, URL?) 

(CONTROL LIST OUTPUT/RESPONSE/WARNING/CODE (#PCDATA) 
A warning code. A warning code appears when the API reguest identifies 
more than 1,000 records (controls). 

(CONTROL LIST OUTPUT/RESPONSE/WARNING/TEXT  (#PCDATA) 
A warning message. A warning message appears when the API reguest 
identifies more than 1,000 records (controls). 

(CONTROL LIST OUTPUT/RESPONSE/WARNING/URL (#PCDATA) 


The URL for making another API reguest for the next batch of compliance 
control records. 
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Compliance Policy List Output 
API used 


<platform API server>/api/2.0/fo/compliance/policy/?action=list 


DTD for Network List Output 
<platform API server>/api/2.0/fo/compliance/policy/policy list output.dtd 
A recent DTD is shown below. 


<!-- QUALYS POLICY LIST OUTPUT DTD --> 
<!-- SRevision$ --> 
<!ELEMENT POLICY LIST OUTPUT (REQUEST?, RESPONSE) > 


<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?)> 
<!ELEMENT DATETIME (#PCDATA) > 

<!ELEMENT USER LOGIN (#PCDATA) > 

<!ELEMENT RESOURCE (#PCDATA) > 

<!ELEMENT PARA | LIST (PARAM+) > 

<!ELEMENT PARA (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 

<!ELEMENT VALUE (#PCDATA) > 

<!-- if returned, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 


zo] 


<!ELEMENT RESPONSE (DATETIME, (POLICY LIST|ID SET)?, WARNING LIST?, 


<!ELEMENT POLICY LIST (POLICY+)> 
<!ELEMENT POLICY (ID, TITLE, CREATED?, LAST MODIFIED?, LAST EVALUATED?, 
S?, IS LOCKED?, EVALUATE NOW?, ASSET GROUP IDS?, 
ET INCLUDE?, TAG INCLUDE SELECTOR?, TAG SET EXCLUDE?, 
XCLUDE SELECTOR?, INCLUDE AGENT IPS?, CONTROL LIST?) > 
<!ELEMENT ID (#PCDATA) > 
M PCDATA) > 


Z 

3 
H 
H 
4 
E 


<!ELEMENT CREATED (DATETIME, BY)> 
<!ELEMENT BY (#PCDATA) > 


<!ELEMENT STATUS (#PCDATA) > 
: ED (#PCDATA) > 
<!ELEMENT EVALUATE NOW (#PCDATA) > 


<!ELEMENT ASSET GROUP IDS (#PCDATA) > 
<!ATTLIST ASSET GROUP IDS has hidden data CDATA #IMPLIED> 


<!ELEMENT TAG SET INCLUDE (TAG ID+)> 
<!ELEMENT TAG ID (#PCDATA) > 
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DEPRECATED?, 


, CUSTOMIZED, REMEDIATION?) > 


USER_LIST?) > 


TP -SBT2) 


<!ELEMENT TAG INCLUDE SELECTOR (#PCDATA) > 

<!ELEMENT TAG SET EXCLUDE (TAG ID+)> 

<!ELEMENT TAG EXCLUDE SELECTOR (#PCDATA) > 

<!ELEMENT INCLUDE_AGENT IPS (#PCDATA) > 

<!ELEMENT CONTROL LIST (CONTROL+) > 

<!ELEMENT CONTROL (ID, STATEMENT, CRITICALITY?, 
TECHNOLOGY LIST?) > 

<!ELEMENT STATEMENT (#PCDATA) > 

<!ELEMENT CRITICALITY (LABEL, VALUE) > 

<!ELEMENT LABEL (#PCDATA) > 

<!ELEMENT DEPRECATED (#PCDATA) > 

<!ELEMENT TECHNOLOGY LIST (TECHNOLOGY+) > 

<!ELEMENT TECHNOLOGY (ID, NAME, RATIONALE 

<!ELEMENT NAME (#PCDATA) > 

<!ELEMENT RATIONALE (#PCDATA) > 

<!ELEMENT CUSTOMIZED (#PCDATA) > 

<!ELEMENT REMEDIATION (#PCDATA) > 

<!ELEMENT ID SET (ID|ID RANGE) +> 

<!ELEMENT ID RANGE (#PCDATA) > 

<!ELEMENT WARNING LIST (WARNING+) > 

<!ELEMENT WARNING (CODE?, TEXT, URL?)> 

<!ELEMENT CODE (#PCDATA) > 

<!ELEMENT TEXT (#PCDATA) > 

<!ELEMENT URL (#PCDATA) > 

<!ELEMENT GLOSSARY (ASSET GROUP LIST?, 

<!ELEMENT ASSET GROUP LIST (ASSET _GROUP+) > 

<!ELEMENT ASSET GROUP (ID, TITLE, NETWORK_ID?, 

<!ELEMENT NETWORK_ID (#PCDATA) > 

<!ELEMENT IP SET (IP|IP_RANGE) +> 

<!ELEMENT IP (#PCDATA) > 

<!ELEMENT IP RANGE (#PCDATA) > 

<!ELEMENT ASSET TAG LIST (ASSET INCLUDE TAG LIST?, 

ASSET EXCLUDE TAG LIST?) > 

<!ELEMENT ASSET INCLUDE TAG LIST (TAG+)> 

<!ELEMENT ASSET EXCLUDE TAG LIST (TAG+)> 

<!ELEMENT TAG (TAG ID?, TAG NAME?) > 

<!ELEMENT TAG NAME (#PCDATA) 

<!ELEMENT USER LIST (USER+) > 

<!ELEMENT USER (USER LOGIN, FIRST NAME, LAST NAME) > 

<!ELEMENT FIRST NAME (#PCDATA) > 

<!ELEMENT LAST NAME (#PCDATA) > 

<!-- EOF --> 
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XPaths for Compliance Policy List Output 


Compliance Policy List Output: Reguest 


XPath element specifications / notes 
/POLICY LIST OUTPUT (REQUEST?, RESPONSE) 
/POLICY. LIST. OUTPUT/REOUEST 

(DATETIME, USER. LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 
/POLICY LIST OUTPUT/REOUEST/DATETIME (#PCDATA) 

The date and time of the request. 
/POLICY_LIST_OUTPUT/REQUEST/USER_LOGIN (#PCDATA) 

The user login ID of the user who made the request. 
/POLICY_LIST_OUTPUT/REQUEST/RESOURCE (#PCDATA) 

The resource specified for the request. 
/POLICY_LIST_OUTPUT/REQUEST/PARAM_LIST (PARAM+) 
(POLICY _OUTPUT/REQUEST/PARAM_LIST/PARAM (KEY, VALUE) 
¡BOBA _OUTPUT/REQUEST/PARAM_LIST/PARAM/KEY — (4PCDATA) 

An input parameter name. 
/POLICY LIST OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE  (#PCDATA) 

An input parameter value. 
/POLICY LIST OUTPUT/REOUEST/POST. DATA (4PCDATA) 


The POST data, if any. 


Compliance Policy List Output: Response 
XPath element specifications / notes 
OMG OUTPUT (REQUEST?, RESPONSE) 
/POLICY_LIST_OUTPUT/RESPONSE 

(DATETIME, (POLICY_LIST|ID_SET)?, WARNING?, GLOSSARY ?) 
/POLICY_LIST_OUTPUT/RESPONSE/DATETIME (#PCDATA) 

The date and time of the response. 
/POLICY_LIST_OUTPUT/RESPONSE/POLICY_LIST  (POLICY+) 
ORIG Yas _OUTPUT/RESPONSE/POLICY_LIST/POLICY 

ID, TITLE, CREATED?, LAST_MODIFIED?, LAST_EVALUATED?, STATUS?, 

S_LOCKED?, EVALUATE_NOW?, ASSET_GROUP_IDS?, TAG_SET_INCLUDE?, 

TAG_INCLUDE_SELECTOR?, TAG_SET_EXCLUDE?, 

TAG_EXCLUDE_SELECTOR?, INCLUDE_AGENT_IPS?, CONTROL_LIST?) 
/POLICY_LIST_OUTPUT/RESPONSE/POLICY_LIST/POLICY/ID | (#PCDATA) 

A compliance policy ID. 
/POLICY_LIST_OUTPUT/RESPONSE/POLICY_LIST/POLICY/TITLE (#PCDATA) 

A compliance policy title. 
/POLICY_LIST_OUTPUT/RESPONSE/POLICY_LIST/POLICY/CREATED (#PCDATA) 


The date/time when the policy was created. 
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XPath element specifications / notes 
(POLICY LIST OUTPUT/RESPONSE/POLICY LIST/POLICY/LAST. MODIFIED (DATETIME, BY) 
(POLICY. LIST OUTPUT/RESPONSE/POLICY LIST/POLICY/LAST MODIFIED/DATETIME — (*PCDATA) 
The date/time when the policy was last updated. 
(POLICY LIST OUTPUT/RESPONSE/POLICY LIST/POLICY/LAST MODIFIED/BY (#PCDATA) 
The user login ID of the user who last modified the policy. 
(POLICY. LIST OUTPUT/RESPONSE/POLICY LIST/POLICY/LAST EVALUATED (DATETIME) 
(POLICY. LIST OUTPUT/RESPONSE/POLICY LIST/POLICY/LAST EVALUATED/DATETIME  (#PCDATA) 
The date/time when the policy was last evaluated. 
(POLICY. LIST OUTPUT/RESPONSE/POLICY LIST/POLICY/STATUS | (#PCDATA) 
The current status of the policy: active or inactive. 
(POLICY LIST OUTPUT/RESPONSE/POLICY LIST/POLICY/IS LOCKED _(#PCDATA) 
The current status of the policy: locked or unlocked. 
(POLICY. LIST OUTPUT/RESPONSE/POLICY LIST/POLICY/EVALUTE NOW  (*PCDATA) 
Indicates whether the Evaluate Now option was selected in the policy. 
(POLICY LIST OUTPUT/RESPONSE/POLICY LIST/POLICY/ASSET GROUP IDS (#PCDATA) 
A list of asset group IDs for the asset groups assigned to a policy. 
attribute: has_hidden_data has_hidden_data is implied and, if present, has the value 1. This flag 


indicates that the user does 
asset groups in 


group IDs 
<ASSET_G 


not have permission to see one or more 
the policy. When this attribute is present, only the asset 
that the user has permission to see, if any, are listed in the 
ROUP_IDS> element. 


/POLICY_LIS 


- OU 


PU 


/RESPONSE/POLICY LIS' 


F/POLICY/TAG. SET. INCLUDE (TAG ID+) 


/POLICY LIS 


zow 


PUT/RESPONSE/POLICY_LIS1 


A tag set ID. 


[/POLICY/TAG_SET_INCLUDE/TAG_ID (#PCDATA) 


/POLICY_LIS 


OU 


PU 


/RESPONSE/POLICY. LIST 


[/POLICY/TAG INCLUDE SELECTOR (#PCDATA) 


The value “any” means the hosts included in the policy match at least one 
of the selected tags, and “all” means the hosts match all of the selected 


tags. 


/POLICY_LIS 


OU 


PU 


/RESPONS 


E POCAS] 


[/POLICY/TAG_SET_EXCLUDE (TAG. ID+) 


/POLICY LIS 


OU 


PU 


/RESPONS 


A tag set ID. 


E/POLICY_LIST/POLICY/ 


'AG_SET_EXCLUDE/TAG_ID (#PCDATA) 


/POLICY_LIS 


ZOU 


PU 


/RESPONS 


E/POLICY_LIS1 


tags. 


[/POLICY/TAG_EXCLUDE_SELECTOR (#PCDATA) 


The value “any” means the hosts included in the policy match at least one 
of the selected tags, and “all” means the hosts match all of the selected 


ENE 


OU 


PUT/RESPONSE/POLICY LIS' 


The value 


means the policy inc 
doesn't include them. 


[/POLICY/INCLUDE AGENT IPS (#PCDATA) 


udes agent IPs, and 0 means the policy 


OSTAME 


un 


OW 


T/RESPONS 


E/POLICY LISTI 


[/POLICY/CONTROL LIST (CONTROL) 


Ge 


un 


OU 


PUT/RESPONS 


E/POLICY LIS'I 


F/POLICY/CONTROL LIST/CONTROL 


ID, STATEMENT, CRITICALITY?, DEPRECATED?, TECHNOLOGY LIST?) 


CAPS 


OU 


PUT/RESPONS 


E/POLICY. LISTI 
#PCDATA) 


A compliance 


[/POLICY/CONTROL_LIST/CONTROL/ID 


control ID. 
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XPath element specifications / notes 
(POLICY. LIST OUTPUT/RESPONSE/POLICY LIST/POLICY/CONTROL LIST/CONTROL/STATEMENT  (*PCDATA) 
A control statement. 


/POLICY. LIST OUTPUT/RESPONSE/POLICY. LIST/POLICY/CONTROL LIST/CONTROL/CRITICALITY (LABEL, 
VALUE) 


/POLICY. LIST. OUTPUT/RESPONSE/POLICY. LIST/POLICY/CONTROL LIST/CONTROL/CRITICALITY/LABEL 
(4PCDATA) 


A criticality label (e.g. SERIOUS, CRITICAL, URGENT) assigned to the 
control. 


/POLICY. LIST. OUTPUT/RESPONSE/POLICY. LIST/POLICY/CONTROL LIST/CONTROL/CRITICALITY/VALUE 
(#PCDATA) 


A criticality value (0-5) assigned to the control. 


/POLICY_LIST_OUTPUT/RESPONSE/POLICY_LIST/POLICY/CONTROL_LIST/CONTROL/DEPRECATED 
(#PCDATA) 


The value 1 identifies a deprecated control. This element appears only for a 
deprecated control. 


/POLICY_LIST_OUTPUT/RESPONSE/POLICY_LIST/POLICY/CONTROL_LIST/CONTROL/TECHNOLOGY_LIST 
IE 


2 PUT/RESPONSE/POLICY. LIST/POLICY/CONTROL LIST/CONTROL/TECHNOLOGY LIST/TEC 
NOLOGY (ID, NAME, RATIONALE, CUSTOMIZED, REMEDIATION?) 


/RESPONSE/POLICY_LIST/POLICY/CONTROL_LIST/CONTROL/TECHNOLOGY_LIST/TEC 


A technology ID for a control. 
/POLICY_LIST_OUTPUT/RESPONSE/POLICY_LIST/POLICY/CONTROL_LIST/CONTROL/TECHNOLOGY_LIST/TEC 


A technology name for a control. 


/POLICY_LIST_OUTPUT/RESPONSE/POLICY_LIST/POLICY/CONTROL_LIST/CONTROL/TECHNOLOGY_LIST/TEC 
HNOLOGY/RATIONALE (#PCDATA) 


The rationale description for a control technology. 


(POLICY. LIST OUTPUT/RESPONSE/POLICY. LIST/POLICY/CONTROL LIST/CONTROL/TECHNOLOGY LIS 
HNOLOGY/CUSTOMIZE #PCDATA) 


A value indicating whether the default value was customized for a control 
technology. The value 1 indicates the default value was customized. The 
value 0 indicates the default value was not customized. The value 0 always 
is present for a locked control (a control that cannot be customized). 


POLICY_LIST_OUTPUT/RESPONSE/POLICY_LIST/POLICY/CONTROL_LIST/CONTROL/TECHNOLOGY_LIST/TEC 
HNOLOGY/REMEDIATON - (4PCDATA) 


Remediation information for the technology. Users can customize 
emediation details using the Policy Editor in the UI. 


(POLICY LIST OUTPUT/RESPONSE/ID SET (IDJID RANGE) 
POLICY LIST OUTPUT/RESPONSE/ID SET/ID (#PCDATA) 

A policy ID. 

(POLICY LIST OUTPUT/RESPONSE/ID SET/ID RANGE (4PCDATA) 
A range policy IDs. 


SS 


EG 


SS 


SS 
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Compliance Policy List Output: Warning 


XPath element specifications / notes 
/POLICY LIST OUTPUT/RESPONSE/WARNING LIST (WARNING+) 


(POLICY LIST OUTPUT/RESPONSE/WARNING LIST/WARNING  (CODE?, TEXT, URL?) 
(POLICY. LIST OUTPUT/RESPONSE/WARNING/CODE  (#PCDATA) 


A warning code. A warning code appears when the API reguest identifies 
more than 1,000 records (policies). 


(POLICY LIST OUTPUT/RESPONSE/WARNING/TEXT (#PCDATA) 


un 


A warning message. A warning message appears when the API request 
identifies more than 1,000 records (policies). 


/POLICY_LIST_OUTPUT/RESPONSE/WARNING/URL (#PCDATA) 


The URL for making another API request for the next batch of policy 
records. 


Compliance Policy List: Glossary 


XPath element specifications / notes 
/POLICY_LIST_OUTPUT/RESPONSE/GLOSSARY — (ASSET. GROUP LIST?, ASSET. TAG LIST?, USER LIST?) 
(POLICY LIST OUTPUT/RESPONSE/GLOSSARY/ASSET. GROUP LIST (ASSET. GROUP +) 


A list of asset groups assigned to policies in the policy list output. 
(POLICY. LIST OUTPUT/RESPONSE/GLOSSARY/ASSET. GROUP LIST/ASSET. GROUP 
(ID, TITLE, IP. SET?) 
/POLICY. LIST OUTPUT/RESPONSE/GLOSSARY/ASSET. GROUP LIST /ASSET_GROUP/ID 
(#PCDATA) 
An asset group ID for an asset group assigned to the policy. 
/POLICY_LIST_OUTPUT/RESPONSE/GLOSSARY/ASSET_GROUP_LIST /ASSET_GROUP/TITLE 
(#PCDATA) 
An asset group title for an asset group assigned to the policy. 
/POLICY_LIST_OUTPUT/RESPONSE/GLOSSARY/ASSET_GROUP_LIST /ASSET_GROUP/IP_SET  (IP|IP_RANGE)+ 
/POLICY_LIST_OUTPUT/RESPONSE/GLOSSARY/ASSET_GROUP_LIST /ASSET_GROUP/IP_SET/IP (#PCDATA) 
An IP address in an asset group that is assigned to the policy. 
/POLICY_LIST_OUTPUT/RESPONSE/GLOSSARY/ASSET_GROUP_LIST /ASSET_GROUP/IP_SET/IP_RANGE 


An IP address range in an asset group that is assigned to the policy. 
/POLICY_LIST_OUTPUT/RESPONSE/GLOSSARY/ASSET_TAG_LIS (TAG+) 


A list of asset tags assigned to policies in the policy list output. 
/POLICY_LIST_OUTPUT/RESPONSE/GLOSSARY/ASSET_TAG_LIST/TAG 

(TAG_ID?, TAG_NAME?) 
/POLICY_LIST_OUTPUT/RESPONSE/GLOSSARY/ASSET_TAG_LIST /TAG/TAG_ID (#PCDATA) 
An asset tag ID for an asset tag assigned to the policy. 
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element specifications / notes 


(POLICY. LIST OUTPUT/RESPONSE/GLOSSARY/ASSET. TAG LIST /TAG/TAG NAME 


(#PCDATA) 


An asset tag name for an asset tag assigned to the policy. 


/POLICY_LIST_OUTPUT/RESPONSE/GLOSSARY/US 


A list of users who crea 


the policy list ou 


IRs IESE 


(USER+) 


ted or edited exceptions in compliance policies in 
tput. For a policy that was edited, the user who most 
recently edited the excepti 


on is included in the output. 


PONG. OU ESPONSE/GLOSSARY/U 


(USER. LOGIN, 


S 
FI 


REL 
Si 


S 


USER 


NAME, LAST. NAME) 


BOLIC va ESPONSE/GLOSSARY/U 


A user login ID. 


5 


R_LIST / 


USER  (#PCDATA) 


BORIC Yar re ESPONSE/GLOSSARY/U 


The first name 


f the 


R_LIST / 


FIRST NAME (#PCDATA) 


account user. 


OMIC /RESPONSE/GLOSSARY/U 


The last name of 


RES 


LAST NAME (#PCDATA) 


the account user. 
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Compliance Policy Export Output 


API used 


<platform API server>/api/2.0/fo/compliance/policy/?action=export 


DTD for Compliance Policy Export Output 


<platform API server>/api/2.0/fo/compliance/policy/policy. export. output.dtd 


A recent DTD 


<1== 0 
SRevision: 


<l== 


UA 


<!EL 


EN 


YS POLICY 1 


is shown below. 
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ECTION*) > 
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| USE 
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PCDATA) > 
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IED> 
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(#PCDATA) > 
PCDATA) > 


EXPORT 
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COVER PAG 
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T TECHNOLOGIES (TECHNOLOGY*) > 


T TECHNOLOGIES total CDATA #IMPLIED> 


T TECHNOLOGY (ID, NAME?, EVALUATE?, RATIONALE?, REMEDIATION?, 


T?, USE SCAN VALUE?, DB OUERY?, DESCRIPTION?) > 


T RATIONALE (#PCDATA) > 


El 
3 


EMEDIATION (#PCDATA) > 
NOT | DP) +> 


El 
3 


NE] 
9 
> 
Z 
(ø) 
O 
2 


ei 
3 


ND (AND|OR|NOT| DP) +> 
R (AND|OR|NOT| DP) +> 
OR|NOT|DP) +> 
K|OP|CD|L|V|FV|DBCOL|DT) +> 
PCDATA) > 


El 
3 


El 
3 


QQOxuzoRQB 
H 
> 
A 
CO 


T D U A eA A oA a aA a VAU AVF KWVYV AX AA 23 


( 
T (# 
T OP (#PCDATA) > 
T CD (#PCDATA) > 
T L (#PCDATA) > 
T V (#PCDATA) > 


T FV (#PCDATA) > 

T FV set CDATA #IMPLIED> 
T DBCOL (#PCDATA) > 

T DT (#PCDATA) > 


T DATAPOINT (CARDINALITY?, OPERATOR?, DEFAULT VALUES?) > 
T CARDINALITY (#PCDATA) > 


T OPERATOR (#PCDATA) > 


EFAULT VALUES (DEFAULT VALUE*) > 


302323232 


D 
T DEFAULT VALUES total CDATA #IMPLIED> 
DEFAULT VALUE (#PCDATA) > 


T USE SCAN VALUE (#PCDATA) > 


3 
E 
n 


ER DEFINED CONTROL (ID, UDC ID, CHECK TYPE, 
[TROL DISABLE?, CATEGORY, SUB CATEGORY, STATEMENT, CRITICALITY?, 
2, USE AGENT ONLY?, AUTO UPDATE?, IGNORE ERROR, 


n 


H 

| 
Z| 
© 

a 
Al 
e) 
G 
Z 
CO 
RI 
29) 
© 
o) 
un 
= 


- STATUS) ?, SCAN PARAMETERS?, 


E TEXT?, TECHNOLOGIES, REFERENCE LIST)> 


T UDC ID (#PCDATA) > 


C 


T CHECK_TYPE (#PCDATA)> 


T CATEGORY (ID, NAME)> 
T SUB CATEGORY (ID, NAME)> 


T STATEMENT (#PCDATA) > 
T COMMI 


T USE AGENT ONLY (#PCDATA)> 


GNORE ITE NOT FOUND (#PCDATA) > 


EFERENCE (REF DESCRIPTION?, URL?) > 


A 
T 
I 
T REFERENCE LIST (REFERENCE*) > 
R 
R 


EF DESCRIPTION (#PCDATA) > 


T ERROR SET STATUS (#PCDATA) > 
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<!ELEMENT MATCH WELL KNOWN USERS FOR ANY DOMAIN (#PCDATA) > 
<!ELEMENT WIN PERMISSION USERS (#PCDATA) > 

<!ELEMENT GROUP NAME (#PCDATA) > 

<!ELEMENT GROUP NAME LIMIT (#PCDATA) > 

<!ELEMENT DATA TYPE (#PCDATA) > 

<!ELEMENT EVALUATE AS STRING (#PCDATA) > 

<!ELEMENT DB QUERY (#PCDATA) > 

<!ELEMENT SCRIPT ID (#PCDATA) > 

<!ELEMENT SCRIPT NAME (#PCDATA) > 

<!ELEMENT OUTPUT FILTER (#PCDATA) > 

<!ELEMENT PERMISSIONS (SPECIAL, USER, GROUP, OTHER) > 
<!ELEMENT SPECIAL (SPECIAL USER, SPECIAL GROUP, SPECIAL DELETION) > 
<!ELEMENT SPECIAL USER (#PCDATA) > 

<!ELEMENT SPECIAL GROUP (#PCDATA) > 

<!ELEMENT SPECIAL DELETION (#PCDATA) > 

<!ELEMENT USER (READ, WRITE, EXECUTE) > 

<!ELEMENT GROUP (READ, WRITE, EXECUTE) > 

<!ELEMENT OTHER (READ, WRITE, EXECUTE) > 

<!ELEMENT READ (#PCDATA) > 

<!ELEMENT WRITE (#PCDATA) > 

<!ELEMENT EXECUTE (#PCDATA) > 

<!ELEMENT WIN PERMISSIONS (WIN BASIC PERMISSIONS?, 

WIN ADVANCED PERMISSIONS?) > 

<!ELEMENT WIN BASIC PERMISSIONS (WIN BASIC PERMISSION TYPE+) > 
<!ELEMENT WIN BASIC PERMISSION TYPE (#PCDATA) > 

<!ELEMENT WIN ADVANCED PERMISSIONS (WIN ADVANCED PERMISSION TYPE+) > 
<!ELEMENT WIN ADVANCED PERMISSION TYPE (#PCDATA) > 
<!ELEMENT WIN FILE SYS OBJECT TYPES (#PCDATA) > 

<!ELEMENT APPENDIX (OP _ ACRONYMS, DATA POINT ACRONYMS+) > 
<!ELEMENT OP ACRONYMS (OP+) > 

<!ATTLIST OP id CDATA #IMPLIED> 

<!ELEMENT DATA POINT ACRONYMS (DP+)> 

<!ATTLIST K id CDATA #IMPLIED> 

<!ATTLIST FV id CDATA #IMPLIED> 

<!-- EOF --> 


XPaths for Compliance Policy Export Output 


Compliance Policy Export Output: Request 


XPath 


element specifications / notes 


(POLICY. EXPOR'I 


E AAA GI 


(REOUEST?, RESPONSE) 


(POLICY. EXPOR'I 


P_OUTPUT/REQUEST 


(DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA?) 


/OLICY_EXPORT_OUTPUT/REQUEST/DATETIME 


(#PCDATA) 


The date and time of the request. 
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XPath element specifications / notes 
(POLICY. EXPOR PUT/REOUEST/USER LOGIN (#PCDATA) 
The user login ID of the user who made the reguest. 
(POLICY. EXPOR PUT/REQUEST/RESOURCE (#PCDATA) 
The resource specified for the reguest. 
/POLICY_EXPOR PUT/REOUEST/PARAM LIST (PARAM+) 
(POLICY. EXPOR PUT/REQUEST/PARAM_LIST/PARAM (KEY, VALUE) 
/POLICY_EXPOR' PUT/REOUEST/PARAM LIST/PARAM/KEY (#PCDATA) 
An input parameter name. 
(POLICY. EXPOR PUT/REQUEST/PARAM_LIST/PARAM/VALUE (#PCDATA) 
An input parameter value. 
(POLICY. EXPOR PUT/REOUEST/POST. DATA (#PCDATA) 


The POST data, if any. 


Compliance Policy Export Output: Response 


XPath element specifications / notes 
/POLICY EXPOR' UTPUT/RESPONSE (REQUEST?, RESPONSE) 
/POLICY EXPOR' UTPUT/RESPONSE (DATETIME, POLICY) 
(POLICY EXPOR' UTPUT/RESPONSE/DATETIME (#PCDATA) 
The date and time of the response. 
/POLICY EXPOR' PUT/RESPONSE /POLICY 
(TITLE, DESCRIPTION?, LOCKED?, EXPORTED, COVER. PAGE?, STATUS?, 
TECHNOLOGIES, SECTIONS, APPENDIX?) 
/POLICY EXPOR' PUT/RESPONSE/POLICY/TITLE (#PCDATA) 
A compliance policy title. 
/POLICY EXPOR' PUT/RESPONSE/POLICY/POLICY/DESCRIPTION (#PCDATA) 
A compliance policy description. 
/POLICY EXPOR' PUT/RESPONSE/POLICY/POLICY/LOCKED (#PCDATA) 
A flagindicating that the policy is locked. 
/POLICY EXPOR' PUT/RESPONSE/POLICY/EXPORTED (#PCDATA) 
The date/time when the policy was exported. 
/POLICY EXPOR' PUT/RESPONSE/POLICY/COVER PAGE (#PCDATA) 
Content for the cover page. 
(POLICY EXPOR PUT/RESPONSE/POLICY/STATUS — (4PCDATA) 
The current policy status: active or inactive. 
/POLICY_EXPOR PUT/RESPONSE/POLICY/SECTIONS (SECTION +) 
total is the total number of sections 
(POLICY EXPOR' PUT/RESPONSE/POLICY/SECTIONS/SECTION (NUMBER, HEADING, CONTROLS) 
/POLICY_EXPOR' PUT/RESPONSE/POLICY/SECTIONS/SECTION/NUMBER (#PCDATA) 
A section number. 
/POLICY_EXPOR PUT/RESPONSE/POLICY/SECTIONS/SECTION/HEADING (#PCDATA) 


A section heading. 
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XPath element specifications / notes 

/POLICY. EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS 
((CONTROLJUSER. DEFINED. CONTROL) 
(POLICY. EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS (CONTROL”) 
total is the total number of controls 
/POLICY. EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL 


(ID, CRITICALITY?, IS CONTROL DISABLE?, REFERENCE TEXT?, 
TECHNOLOGIES) 


/POLICY. EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/D (#PCDATA) 
A control ID. 
/POLICY. EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/ 


CRITICALITY (LABEL, VALUE) 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/ 
CRITICALITY/LABEL (#PCDATA) 


A criticality label (e.g. SERIOUS, CRITICAL, URGENT) assigned to the 
control. 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/IS_CONTROL_DISA 
BLE (#PCDATA 


1 means the control is disabled; 0 means the control is enabled. 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIES 
(TECHNOLOGY+ 


total is the total number of technologies 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIES 
/TECHNOLOGY 


(ID, NAME?, EVALUATE?, RATIONALE?, REMEDIATION?, DATAPOINT?, 
USE_SCAN_VALUE?, DB_QUERY?, DESCRIPTION?) 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIE 
/TECHNOLOGY/ID — (#PCDATA) 


A technology ID. 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CON 
/TECHNOLOGY/NAME  (#PCDATA 


= 


FROLS/CONTROL/TECHNOLOGIE 


A technology name. 


(POLICY. EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CON 
/TECHNOLOGY/EVALUATE  (CTRL”) 


= 


FROLS/CONTROL/TECHNOLOGIE 


he control evaluation logic. 


attribute: checksum This attribute is no longer returned in the XML output. However, you can 
still include it in policy export XML and import it into your account. 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIES 
/TECHNOLOGY/EVALUATE/CTRL = (AND|OR|NOT|DP)+ 


The root tag for control evaluation. 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIE 
/TECHNOLOGY/EVALUATE/CTRL /AND  (AND|OR|NOT|DP)+ 


Indicates a logical AND relationship between its children. 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIE 
/TECHNOLOGY/EVALUATE/CTRL /OR  (AND|OR|NOT|DP)+ 


Y 


Indicates a logical OR relationship between its children. 
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XPath element specifications / notes 


/POLICY. EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIES 
/TECHNOLOGY/EVALUATE/CTRL /NOT  (ANDJOR|NOT|DP)+ 


Indicates negation of evaluation logic represented by its child tag. 


/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIES 
/TECHNOLOGY/EVALUATE/CTRL /DP  (K]OP|CD|L|V|FV|DBCOL|DT)+ 


The evaluation logic for a data point in the compliance policy. 
/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIES 
/TECHNOLOGY/EVALUATE/CTRL /DP/K (#PCDATA) 
A service-defined, unique name for the data point. 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIES 
/TECHNOLOGY/EVALUATE/CTRL /DP/OP (#PCDATA 


The operator option set in the compliance policy for the data point, if 
applicable. Possible values depending on the data type: ge | gt | le | 1t | eq | ne 
| in | range | re | xre | xeq | no op. See “Operator Names” below. 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIES 
/TECHNOLOGY/EVALUATE/CTRL /DP/CD  (*PCDATA) 


The cardinality option set in the compliance policy for the data point, 1f 

applicable. Possible values depending on the data type: contains | does not 
contain | matches | is contained in | intersect | match any | match all | match 
none | empty | not empty | no cd. 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIES 
/TECHNOLOGY/EVALUATE/CTRL /DP/L (#PCDATA) 


Identifies attributes of the data point that are locked and cannot be 
changed in the compliance policy. These data point attributes may be 
locked: OP (operator), CD (cardinality), V (expected value). 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIES 
/TECHNOLOGY/EVALUATE/CTRL /DP/V  (*PCDATA) 
The user-provided “expected” value for the data point, as defined in the 
policy. 
/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIES 
/TECHNOLOGY/EVALUATE/CTRL /DP/FV (*PCDATA) 


A fixed expected value for the data point in the compliance policy. A fixed 
value cannot be changed in the policy. It can only be selected/deselected. 


w 


ttribute: set set indicates whether the fixed value is selected in the compliance policy. 
When set=1 the fixed value is selected. When set=0 the fixed value is not 
selected. 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIES 
/TECHNOLOGY/EVALUATE/CTRL /DP/DBCOL (#PCDATA) 
Columns returned in scan result. 
/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIE 


/TECHNOLOGY/EVALUATE/CTRL /DP/DT (4PCDATA) 


EH 


Data type to be defined to evaluate controls. 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIES 
/TECHNOLOGY/RATIONALE — (*PCDATA) 


A rationale statement describing how the control should be implemented 
for each technology. 
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XPath element specifications / notes 
/POLICY EXPORT OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIE 
/TECHNOLOGY/REMEDIATION — (*PCDATA) 

Remediation information available for each technology. 
/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIE 
/TECHNOLOGY/DATAPOINT 

(CARDINALITY?, OPERATOR?, DEFAULT_VALUES?) 
/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIES 
/TECHNOLOGY/DATAPOINT/CARDINALITY (#PCDATA 

A cardinality used to calculate the expected value for a technology. When 

DATA_TYPE is “String List”: contains | does not contain | matches | is 

contained in | intersect. When DATA_TYPE is “Line List”: match any | match 

all | match none | empty | not empty. When DATA_TYPE is “Boolean” or 

“Integer”: no cd. 
/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIES 
/TECHNOLOGY/DATAPOINT/OPERATOR — (*PCDATA) 

A name of an operator used to calculate the expected value for a 

technology: ge | gt | le | lt | ne | eq | in | range | re | xre | xeq | no op. 
/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIES 
/TECHNOLOGY/DATAPOINT/DEFAULT VALUES (DEFAULT. VALUE*) 

total is the total number of default values. 

/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIES 
/TECHNOLOGY/DATAPOINT/DEFAULT VALUES/DEFAULT VALUE (#PCDATA) 

A default value for each technology this is used to calculate the expected 

value for a technology, specified as a regular expression or a string 

depending on the check type. This value can be a maximum of 4000 

alphanumeric characters. A regular expression must follow the PCRE 

Standard. 

[POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIES 
/TECHNOLOGY/USE SCAN VALUE — (*PCDATA) 

Indicates whether the “Use scan data as expected value” option is enabled 

for the technology in a File Integrity check. A value of “1” means it is 

enabled. A value of “0” means it’s not enabled. 
/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/CONTROL/TECHNOLOGIES 
/TECHNOLOGY/DB OUERY (#PCDATA) 

User defined SOL statement 
[POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL 

(ID, UDC. ID, CHECK. TYPE, IS CONTROL DISABLE?, CATEGORY, 

SUB CATEGORY, STATEMENT, CRITICALITY?, COMMENT?, 

USE AGENT ONLY?, AUTO UPDATE?, IGNORE. ERROR, 

IGNORE ITEM. NOT. FOUND?, SCAN. PARAMETERS, REFERENCE. TEXT?, 

TECHNOLOGIES, REFERENCE. LIST) 

/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER. DEFINED CONTROL 
D (4PCDATA) 

Control ID. 

/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
UDC. ID (#PCDATA) 


User-defined control ID (UCD ID) for Oualys Custom Control. 
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XPath element specifications / notes 
/POLICY. EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER. DEFINED. CONTROL/ 
CHECK TYPE — (4PCDATA) 


The type of UDC check, such as Registry Key Existence, Registry Value 
Existence, Window File/Directory Existence, Window File/Directory 
Permission, Unix File Content Check, Unix Directory Search Check, etc. 


(POLICY. EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER. DEFINED. CONTROL/I 
S. CONTROL DISABLE (#PCDATA) 
1 means the control is disabled; 0 means the control is enabled. 
/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 


CATEGORY (ID, NAME 


m 


A category for a compliance control. 


/POLICY. EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER. DEFINED. CONTROL/ 
CATEGORY/ID  (#PCDATA) 


Tj 


The category ID. 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 
CATEGORY/NAME (#PCDATA) 


Tj 


The category name. 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 
SUB_CATEGORY (ID, NAME 


A sub-category for the control. 
/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 


SUB CATEGORY/ID (#PCDATA) 


The sub-category ID. 
/POLICY. EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER. DEFIN 


SUB CATEGORY/NAME — (#PCDATA) 
The sub-category name. 


/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
STATEMENT (*PCDATA) 


m 


D_CONTROL/ 


Tj 


A control statement that describes how the control should be implemented 
in the environment. 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 
COMMENT (#PCDATA) 


User defined comments. 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 
USE AGENT ONLY (#PCDATA) 


Set to 1 when the “Use agent scan only” option is enabled for the control. 
When enabled the control is evaluated using scan data collected from a 
cloud agent scan only. 


/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
AUTO UPDATE (#PCDATA) 


Set to 1 when the “Auto Update expected value” option is enabled for the 
control. When enabled the control's expected value for posture evaluation 
is replaced with the actual value collected from the cloud agent scan. 
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XPath element specifications / notes 


/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER. DEFINED CONTROL/I 
GNORE ERROR — (4PCDATA) 


Set to 1 when the ignore error option is enabled for the control. When 
enabled, the service marks control instances as Passed in cases where an 
error occurs during control evaluation. 


/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER. DEFINED. CONTROL/I 
GNORE ITEM NOT FOUND  (#PCDATA) 


Set to 1 when the ignore item not found option is enabled for the control. 
When enabled the service will show a status of Passed or Failed in cases 
where a control returns error code 2 “item not found” (e.g. scan did not find 
file, registry, or related data, as appropriate for the control type), depending 
on the status you prefer (defined in the policy). 


/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
REFERENCE LIST (REFERENCE*) 


A list of user-defined references. 
(POLICY. EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER. I 
REFERENCE. LIST/REFERENCE (REF DESCRIPTION?, URL 2) 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 
REFERENCE_LIST/REFERENCE/REF_DESCRIPTION (#PCDATA) 


A user-defined description for a reference to an internal policy or 
document. 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 
REFERENCE LIST/REFERENCE/URL (#PCDATA) 


J 


EFINED_CONTROL/ 


A URL for a reference to an internal policy or document 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONT 
ROL/SCAN_PARAMETERS 


PATH. TYPE?, REG HIVE?, REG KEY?, REG VALUE NAME?, FILE. PATH? 
FILE OUERY?, HASH TYPE?, WMI NS?, WMI OUERY?, SHARE USER?, 
PATH. USER?, BASE DIR?, SHOULD DESCEND?, DEPTH LIMIT?, 
NTEGRITY. CHECK DEPTH LIMIT?, FOLLOW. SYMLINK?, 

FILE NAME MATCH?, FILE NAME. SKIP?, DIR NAME MATCH?, 
DIR. NAME. SKIP?, PERMISSIONS?, PERM. COND?, TYPE. MATCH?, 
USER OWNER?, GROUP OWNER?, TIME LIMIT?, MATCH LIMIT?, 
NTEGRITY. CHECK TIME LIMIT?, 

FILE CONTENT. CHECK V2 TIME LIMIT?, 
FILE CONTENT. CHECK V2 MATCH LIMIT?, 
NTEGRITY CHECK MATCH LIMIT?, 
DISABLE CASE. SENSITIVE. SEARCH?,EXCLUDE USER OWNER?, 
EXCLUDE GROUP OWNER?, INTEGRITY CHECK OBJECT. TYPES?, 
WIN. FILE SYS OBJECT. TYPES?, 
MATCH WELL KNOWN USERS FOR ANY DOMAIN?, 
WIN. PERMISSION USERS?, WIN. PERMISSION. MATCH?, 
WIN. PERMISSIONS?, GROUP NAME?, 
SCRIPT. ID?, SCRIPT. NAME?, OUTPUT. FILTER?, 

GROUP NAME LIMIT?, DIGEST. HASH?, PERMISSION. MONITOR?, 
DATA TYPE, EVALUATE AS STRING?, DESCRIPTION) 


/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/PATH TYPE (#PCDATA) 


Specify file location using the path types: Registry Key, File Search, File 
Path. 
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/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/REG HIVE — (4PCDATA) 


A Windows registry hive: HKEY. CLASSES ROOT (HKCR) | 
KEY. CURRENT. USER (HKCU KEY. LOCAL MACHINE (HKLM) | 
KEY USERS (HKU). 


/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/REG KEY (#PCDATA 


A Windows registry key. 


CY/SECTIONS/SECTION/CONTROLS/USER. DEFIN 
SCAN PARAMETERS/REG VALUE NAME — (4PCDATA) 
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D_CONTROL/ 


A value for a Windows registry key. 
CY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 
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A pathname to a file or directory. 
/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 


Tj 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 


An algorithm to be used for computing a file hash: MD5 | SHA-1 | SHA-256. 
/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
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CY/SECTIONS/SECTION/CONTROLS/USER_DEFIN 
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ROLS/USER_DEFINED_CONTROL/ 


A user name who can access a share for a share access check. 
/POLICY. EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER. DEFINED. CONTROL/ 


A user name who can access a directory for a share access check. 
(POLICY. EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 


For directory search, the base directory to start search from. 


/POLICY. EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFIN 
SCAN PARAMETERS/SHOULD DESCEND  (#PCDATA) 


m 


D_CONTROL/ 


For directory search, set to “true” when search extends into other file 
systems found; otherwise set to “false”. 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 
SCAN_PARAMETERS/DEPTH_LIMIT #PCDATA) 


For directory search, depth level for searching each directory: only directory 
properties (0), directory contents (1) or multiple levels below the base 
directory (2-10). 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 
SCAN PARAMETERS/FOLLOW SYMLINK  (#PCDATA) 
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For directory search, set to “true” when target destination files and 
directories will be analyzed; otherwise set to “false”. 


/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/FILE NAME MATCH  (#PCDATA) 


For directory search, a filename to match, i.e. a Windows wildcard 
expression or a Unix globbing (wildcard) expression. 


/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/FILE NAME SKIP (#PCDATA) 


For directory search, a filename to skip, i.e. a Windows wildcard expression 
or a Unix globbing (wildcard) expression. 


/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/DIR NAME MATCH  (#PCDATA) 


For directory search, a directory name to match, i.e. a Windows wildcard 
expression or a Unix globbing (wildcard) expression. 


/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/DIR NAME SKIP (#PCDATA) 


For directory search, a directory name to skip, i.e. a Windows wildcard 
expression or a Unix globbing (wildcard) expression. 


/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/PERM COND  (*PCDATA) 


For Unix directory search, match “all” permissions or “some” permissions 
set in PERMISSIONS, or “exclude” (i.e. ignore files with certain permissions). 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 
SCAN_PARAMETERS/TYPE_MATCH  (*PCDATA) 


For Unix directory search, match system objects specified as string of 
comma separated codes: d (directory), f (regular file), 1 (symbolic link), p 
(named pipe, FIFO), b (block special - buffered), c (character special - 
unbuffered), s (socket), D (door, Solaris only). Sample string: d,f,l 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 
SCAN PARAMETERS/USER OWNER (#PCDATA 


For Unix directory search, match files owned by certain users specified as 
comma separated list of user names and/or UUIDs. 


/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/GROUP OWNER  (*PCDATA) 


For Unix directory search, match files owned by certain groups specified as 
comma separated list of group names and/or GUIDS. 


/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/TIME LIMIT (#PCDATA) 


or a Unix directory search, the search time limit in seconds. 


m 


T 
/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
I 


SCAN_PARAMETERS/MATCH_LIM (#PCDATA) 
For a Unix directory search, the maximum number of objects matched. 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 
SCAN_PARAMETERS/DISABLE_CASE_SENSITIVE_SEARCH  (#PCDATA) 


Disable the case-sensitive search in Unix agent UDCs (Directory Search and 
Directory Integrity). 


Tj 
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/POLICY EXPORT OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/EXCLUDE USER OWNER (#PCDATA) 


Supported only by Cloud Agent) For Unix Directory Search and Unix 
Directory Integrity controls, this is a flag (true or false) indicating whether 
to exclude the files owned by certain users specified as comma separated 
ist of user names and/or UUIDs. 


/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/EXCLUDE GROUP OWNER — (*PCDATA) 


Supported only by Cloud Agent) For Unix Directory Search and Unix 
Directory Integrity controls, this is a flag (true or false) indicating whether 
to exclude the files owned by certain groups specified as comma separated 


st of group names and/or GUIDS. 
(POLICY. EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFIN 
SCAN PARAMETERS/FILE CONTENT. CHECK V2 TIME LIMIT (#PCDATA) 
The search time limit specified for a Unix File Content Check V2 control. 


/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/FILE CONTENT. CHECK V2 MATCH LIMIT  (#PCDATA) 


The search match limit specified for a Unix File Content Check V2 control. 


/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/WIN. PERMISSION MATCH (#PCDATA) 


m 


D_CONTROL/ 


For Windows directory search, match “Any” (i.e. at least one of the 
permissions set or “All” (i.e. files that match all of the permissions set) in 
WIN_BASIC_PERMISSIONS. 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 
SCAN PARAMETERS/MATCH. WELL KNOWN USERS FOR ANY DOMAIN  (#PCDATA) 


For Windows directory search, when set to “Yes” we'll perform a look up of 
the users set in <WIN. PERMISSION USERS> and match against well-known 
users, groups and aliases. 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 
SCAN PARAMETERS/WIN. PERMISSION USERS  (#PCDATA 
For Windows directory search, comma separated list of principals with 
permissions to the files/directories to match. 


/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/GROUP NAME (#PCDATA) 


Windows local group name to get a list of members for. 
/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 
SCAN PARAMETERS/GROUP NAME LIMIT (#PCDATA 


The maximum number of results (1 to 1000) to be returned for Windows 
group name. 
/POLICY. EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/DATA TYPE (#PCDATA) 
A scan parameter that identifies a valid data type for the actual value 
provided by the service: Boolean | Integer | String | String List | Line List 


/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/SCRIPT ID (#PCDATA) 


For future use. 


/POLICY. EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER. DEFIN 
SCAN PARAMETERS/SCRIPT NAME — (4PCDATA) 


EH 


m 


D_CONTROL/ 
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For future use. 
/POLICY. EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER. DEFINED. CONTROL/ 
SCAN. PARAMETERS/OUTPUT. FILTER (#PCDATA) 
For future use. 
/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 
SCAN PARAMETERS/EVALUATE AS STRING (#PCDATA) 


A scan parameter that identifies if the Evaluate as string option is enabled 
for Unix file content check 


/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/SC 


SPECIAL, USER, GROUP, OTHER) 
/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 


SECANO SERA SIPE(CIUAIL, (GINOVWME) SPEGIUAIL, TENE EKSIN 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 
SCAN PARAMETERS/PERMISSIONS/SPECIAL/SPECIAL USER (#PCDATA) 
For Unix directory search, indicates whether the special set user ID on 
execution permission is set on the file: Yes, No or Any (either setting is fine). 
/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 
SCAN PARAMETERS/PERMISSIONS/SPECIAL/SPECIAL GROUP (#PCDATA) 
For Unix directory search, indicates whether the special set group ID on 
execution permission is set on the file: Yes, No or Any (either setting is fine). 
/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/PERMISSIONS/SPECIAL/SPECIAL DELETION (#PCDATA) 
For Unix directory search, indicates whether the special restricted deletion 
(directory) or sticky bit (file) permission is set: Yes, No or Any (either setting 
is fine). 
/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/PERMISSIONS/USER (READ, WRITE, EXECUTE) 
/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/PERMISSIONS/USER/READ  (#PCDATA) 
For Unix directory search, indicates whether Read permission is set fo 
User: Yes, No or Any (either setting is fine). 
/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/PERMISSIONS/USER/WRITE — (4PCDATA) 
For Unix directory search, indicates whether Write permission is set for 
User: Yes, No or Any (either setting is fine). 
/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/PERMISSIONS/USER/EXECUTE — (*PCDATA) 
For Unix directory search, indicates whether Execute permission is set for 
User: Yes, No or Any (either setting is fine). 
/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/PERMISSIONS/GROUP (READ, WRITE, EXECUTE) 
/POLICY EXPORT. OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/ 
SCAN PARAMETERS/PERMISSIONS/GROUP/READ (#PCDATA) 


For Unix directory search, indicates whether Read permission is set for 
Group: Yes, No or Any (either setting is fine). 
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/POLICY. EXPORT. OU 
SCAN. PARAMETERS/ 


TPUT/RESPONS 


PERMISSIONS/GRO 


For 


E/POL 


Group 


CY/SECTIONS/S 
UP/WRITE 


either setting is 


ECTION/CONT 
(#PCDATA) 


ix directory search, indicates whe 
: Yes, No or Any 


ther Write permission is set for 
fine). 


FROLS/USER. DEFINED. CONTROL/ 


/POLICY EXPORT OU 
SCAN_PARAMETERS/ 


TPUT/RESPONS 


PERMISSIONS/G 


For 


Group: 


OLICY/SECTIONS/S 
OUP/EXECUTE 


x directory search, indicates whe 


Yes, No or Any 


#PCDATA 


either setting is 


ECTION/CONTROLS/USER_DEFINED_CONTROL/ 


ther Execute permission is set for 
fine). 


/POLICY_EXPOR 


PUT/RESPONS 


E/POLICY/SECTIONS/S 


ECTION/CONTROLS/USER 1 


DEFINED. GONT 


ROL/ 


SCAN_PARAMET PERMISSIONS/OTHER (READ,WRITE, EXECUTE) 
/POLICY_EXPOR PUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 
SCAN_PARAMET PERMISSIONS/OTHER/READ  (*PCDATA) 


For 


ix directory search, indicates whet 


her Read permissi 


on is set fo 


Others (all other users of the system): Yes, No or Any (either setting is fine). 
/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONTROL/ 
SCAN PARAMETERS/PERMISSIONS/OTHER/WRITE — (#PCDATA) 


For 


Others 


ix directory search, 
(all other users of the system): Yes, No or Any (e 


indicates whe 


ther Write permission is set for 
ither setting is fine). 


/POLICY. EXPORT. OU 
SCAN. PARAMETERS/PERMISSIONS/OTH 


TPUT/RESPONS 


E/POLICY/SECTIONS/S 
ER/EXECUTE 


ECTION/CONTROLS/USER D 
(#PCDATA\ 


EFINED_CONTROL/ 


AN PARAMET ERS/WIN_ 


(#PCDATA) 


For Wi 


PERMISSIONS/WIN_BAS 


ndows d 


C_PERMISSIONS/WIN_BASIC_PERMISSION_TYPE 


irectory search, match basic permission: Full Control | 


For Unix directory search, indicates whether Execute permission is set for 

Others (all other users of the system): Yes, No or Any (either setting is fine). 
/POLICY EXPORT. PUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER. DEFINED. CONTROL/SC 
AN. PARAMETERS/WIN. PERMISSIONS 

(WIN. BASIC. PERMISSIONS?, WIN. ADVANCED. PERMISSIONS?) 
/POLICY. EXPOR PUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER. DEFINED. CONTROL/ 
SCAN. PARAMET /WIN. PERMISSIONS/WIN. BASIC. PERMISSIONS 

(WIN. BASIC. PERMISSION. TYPE+ 
/POLICY. EXPOR PUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER. DEFINED. CONTROL/SC 


Modify | List Folder | Content | Read & Execute | Write | Read 
(POLICY EXPORT. ! PUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CON'I L/ 
SCAN. PARAMETERS/WIN. PERMISSIONS/WIN. ADVANCED PERMISSIONS 

(WIN. ADVANCED. PERMISSION. TYPE+;) 
(POLICY EXPOR' PUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER DEFINED. CONTROL/SC 
AN. PARAMETERS/WIN. PERMISSIONS/WIN. ADVANCED. PERMISSIONS/WIN. ADVANCED. PERMISSION. TYPE 


(#PCDATA) 


For Wi 
Traverse Folder | Execute Fi 
Read Extended Attributes | Create Files/Write Data 
Data | Write Attributes | Wn 
Files | Delete | Read Permissions | Change Permissions | Take Ownership 


es | List Folder/Read Data 


te Extended Attributes 


ndows directory search, match advanced permi 


ssion: Full Con 


Read Attributes | 
Create Folders/Append 
Delete Sub-folders & 


/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/SECTIONS/SECTION/CONTROLS/USER_DEFINED_CONT 
SCAN_PARAMETERS/WIN_FILE_SYS_OBJECT_TYPES 


For Windows directory search, types of system objects to search: 
DIRECTORY, FILE or DIRECTORY FILE (i.e. both directory and file). 


(#PCDATA) 


PROL/ 
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[POLICY EXPORT. OUTPUT/RESPONSE/POLICY/APPENDIX/ 
(OP ACRONYMS, DATA. POINT. ACRONYMS-+)> 
/POLICY. EXPORT. OUTPUT/RESPONSE/POLICY/APPENDIX/OP. ACRONYMS (OP+) 
/POLICY. EXPORT. OUTPUT/RESPONSE/POLICY/APPENDIX/OP ACRONYMS/ OP 
The acronym for operator option set in the compliance policy for the data 
point, if applicable. Possible values depending on the data type: ge | gt | le | lt 
| eq |ne |in | range | re | xre | xeq | no op. See “Operator Names” below. 
attribute: id Indicates operator id. 
/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/APPENDIX/DATA_POINT_ACRONYMS/ (DP+) 
/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/APPENDIX/DATA_POINT_ACRONYMS/ K 
The acronym for the service-defined, unique name for the data point. 
attribute: id Indicates id of the service-defined, unique name for the data point. 
/POLICY_EXPORT_OUTPUT/RESPONSE/POLICY/APPENDIX/DATA_POINT_ACRONYMS/ FV 


A fixed ex 
value can 


pected valu 
not be chan 


e for the data point in the compliance policy. A fixed 
ged in the policy. It can only be selected/deselected. 


attribute: id 


Indicates 
policy. 


id of the fixed expected value for the data point in the compliance 


Operator Names 


Operator Description Operator Description 

ge greater than or egualto in in 

gt greater than range in range 

le less than or equal to re regular expression 

lt less than xre regular expression list 
eq equal to xeq string list 

ne not equal to no op no operator 
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API used 


<platform API server>/api/2.0/fo/compliance/posture/info/?action=list 


DTD for Compliance Posture Info List Output 


<platform API server>/api 


/2.0/fo/compliance/posture/info/posture_info_list_output.dtd 


A recent DTD is shown below. 
<!-- QUALYS POSTURE INFO LIST OUTPUT DTD ==> 
<!-- SRevision$ --> 
<!ELEMENT POSTURE INFO LIST OUTPUT (REQUEST?, RESPONSE) > 
<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA? )> 
<!ELEMENT DATETIME (#PCDATA) > 
<!ELEMENT USER LOGIN (t PCDATA) > 
<!ELEMENT RESOURCE (#PCDATA) > 
<!ELEMENT PARA | LIST (PARAM+) > 
<!ELEMENT PARA (KEY, VALUE) > 
<!ELEMENT KEY (#PCDATA) > 
<!ELEMENT VALUE (#PCDATA) > 
<!-- if returned, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 
<!ELEMENT RESPONSE (DATETIME, ((INFO LIST?, SUMMARY?, WARNING LIST?, 
GLOSSARY?) | POLICY+) )> 
<!ELEMENT POLICY (ID, DATETIME, INFO LIST?, SUMMARY?, WARNING LIST?, 
GLOSSARY?) > 
<!ELEMENT INFO LIST (INFO+) > 
<!ELEMENT INFO (ID, HOST ID, CONTROL ID, TECHNOLOGY ID, INSTANCE?, STATUS, 
REMEDIATION?, POSTURE MODIFIED DATE?, EVALUATION DATE?, PREVIOUS STATUS?, 
FIRST FAIL DATE?, LAST FAIL DATE?, FIRST PASS DATE?, LAST PASS DATE?, 
EXCEPTION?, EVIDENCE?, CAUSE OF FAILURE?)> 
<!ELEMENT ID (#PCDATA) > 
<!ELEMENT HOST ID (#PCDATA) > 
<!ELEMENT CONTROL ID (#PCDATA) > 
<!ELEMENT TECHNOLOGY ID (#PCDATA) > 
<!ELEMENT INSTANCE (#PCDATA) > 
<!ELEMENT STATUS (#PCDATA) > 
<!ELEMENT REMEDIATION (#PCDATA) > 
<!ELEMENT POSTURE MODIFIED DATE (#PCDATA) > 
<!ELEMENT EVALUATION DATE (#PCDATA) > 
<!ELEMENT PREVIOUS STATUS (#PCDATA) > 
<!ELEMENT FIRST FAIL DATE (#PCDATA) > 
<!ELEMENT AST FAIL DATE (#PCDATA) > 
<!ELEMENT FIRST PASS DATE (#PCDATA) > 
<!ELEMENT AST PASS DATE (#PCDATA) > 
<!ELEMENT EXCEPTION (ASSIGNEE, STATUS, END DATETIME?, CREATED?, 
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LAST MODIFIED?, COMMENT LIST?)> 

<!ELEMENT ASSIGNEE (#PCDATA) > 

<!ELEMENT END DATETIME (#PCDATA) > 

<!ELEMENT CREATED (BY, DATETIME) > 

<!ELEMENT BY (#PCDATA) > 

<!ELEMENT LAST MODIFIED (BY, DATETIME) > 

<!ELEMENT COMMENT LIST (COMMENT+) > 

<!ELEMENT COMMENT (DATETIME, BY, TEXT)> 

<!ELEMENT TEXT (#PCDATA) > 

<!ELEMENT EVIDENCE (BOOLEAN EXPR, DPV_LIST?, EXTENDED EVIDENCE?, 
STATISTICS?, EXTENDED STATISTICS ERROR? )> 

<!ELEMENT BOOLEAN EXPR (#PCDATA) > 

<!ELEMENT DPV LIST (DPV+)> 

<!ELEMENT DPV (LABEL, (ERROR|V)+, TM REF?) > 

<!ATTLIST DPV lastUpdated CDATA #IMPLIED> 

<!ELEMENT V (#PCDATA|H|R) *> 

<!ATTLIST V fileName CDATA #IMPLIED> 

<!ELEMENT H (C+)> 

<!ELEMENT R (C+)> 

<!ELEMENT EXTENDED EVIDENCE (#PCDATA) > 

<!ELEMENT STATISTICS (#PCDATA) > 

<!ELEMENT EXTENDED STATISTICS ERROR (#PCDATA) > 

<!ELEMENT CAUSE OF FAILURE (DIRECTORY FIM UDC, UNEXPECTED?, MISSING?, 
ADDED DIRECTORIES?, REMOVED DIRECTORIES?, PERMISSON CHANGED DIRECTORIES?, 
CONTENT CHANGED DIRECTORIES?) > 

<!ELEMENT DIRECTORY FIM UDC (#PCDATA) > 

<!ELEMENT UNEXPECTED (V*)> 

<!ELEMENT MISSING (V*)> 

<!ATTLIST MISSING logic CDATA #FIXED "OR"> 

<!ELEMENT ADDED DIRECTORIES (V*)> 

<!ELEMENT REMOVED DIRECTORIES (V*)> 

<!ELEMENT PERMISSON CHANGED DIRECTORIES (V*)> 

<!ELEMENT CONTENT CHANGED DIRECTORIES (V*) > 

<!ELEMENT LABEL (#PCDATA) > 

<!ELEMENT ERROR (#PCDATA) > 

<!ELEMENT TM REF (#PCDATA) > 

<!ELEMENT C (#PCDATA) > 

<!ELEMENT GLOSSARY (USER LIST?, HOST LIST, CONTROL LIST?, 
TECHNOLOGY LIST?, DPD LIST?, TP LIST?, FV LIST?, TM LIST?)> 
<!ELEMENT USER LIST (USER+) > 

<!ELEMENT USER (USER LOGIN, FIRST NAME, LAST NAME) > 
<!ELEMENT FIRST NAME (#PCDATA) > 

<!ELEMENT LAST NAME (#PCDATA) > 

<!ELEMENT HOST LIST (HOST+) > 

<!ELEMENT HOST (ID, IP, TRACKING METHOD, DNS?, DNS DATA?, NETBIOS?, OS?, 
OS CPE?, QG HOSTID?, ASSET ID?, LAST VULN SCAN DATETIME?, 
LAST COMPLIANCE SCAN DATETIME?, PERCENTAGE?) > 

<!ELEMENT TRACKING METHOD (#PCDATA) > 
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(t PCDATA) > 
IP network id CDATA #IMPLIED> 
(#PCDATA) > 
(HOSTNAME?, DOMAIN?, FODN?) > 
(# PCDATA) > 
(+ PCDATA) > 
PCDATA) > 
(#PCDATA) > 
DATA) > 
PCDATA) > 


(#PCDATA) > 


(#PCDATA) > 
N SCAN 


DATETIME (PC 
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DATA) > 


E (#PCDATA) > 


PLIANCE SCAN DATETIM 


(#PCDATA) > 


l (CONTROL+) > 


STATEMENT, CRITICALITY?, REFERENCE?, DEPRECATED?, 


PCDATA) > 


T 


(LABEL, VALUE) > 


PCDATA) > 


(t PCDATA) > 


LIST (RATIONALE* 


[TECHNOLOGY ID, 


1] 


1] 


(ID, NAME)> 
TA) > 


(DPD+) > 


IST (TECHNOLOGY+ 


ID?, NAME?, D 


TA) > 


t) > 
PAIR+) > 


V)> 
PCDATA) > 


S 


WARNING+) > 


TEXT, URL?)> 


( 
(CODE? 
) 


ESC) > 


TAL ASSETS, TOTAL CONTROLS, CONTROL INSTANCES) > 


PS (#PCDATA) > 


[TROLS (#PCDATA) > 
CONTROL INSI 


[TANCES (TOTAL, 


TOTAL PASSED, TOTAL FAILED, 
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TOTAL ERROR, TOTAL EXCEPTIONS) > 


<!ELEMENT TOTAL (#PCDATA) > 

<!ELEMENT TOTAL PASSED (#PCDATA) > 
<!ELEMENT TOTAL FAILED (#PCDATA) > 
<!ELEMENT TOTAL ERROR (#PCDATA) > 
<!ELEMENT TOTAL EXCEPTIONS (#PCDATA) > 


<!-- EOF --> 


XPaths for Compliance Posture Information Output 


Compliance Posture Information Output: Request 


XPath element specifications / notes 

/POSTURE INFO LIST OUTPU (REOUEST?, RESPONSE) 

/POSTURE INFO LIST OUTPUT/REOUES 
(DATETIME, USER. LOGIN, RESOURCE, PARAM LIST?, POST. DATA?) 

/POSTURE INFO LIST OUTPUT/REOUEST/DATETIME  (#PCDATA) 

The date and time of the request. 

/POSTURE_INFO_LIST_OUTPUT/REQUEST/USER_LOGIN (#PCDATA) 


The user login ID of the user who made the request. 
/POSTURE_INFO_LIST_OUTPUT/REQUEST/RESOURCE  (#PCDATA) 

The resource specified for the request. 
/POSTURE_INFO_LIST_OUTPUT/REQUEST/PARAM_LIST (PARAM+) 
/POSTURE_INFO_LIST_OUTPUT/REQUE PARAM_LIST/PARAM (KEY, VALUE) 
/POSTURE_INFO_LIST_OUTPUT/REQUE PARAM LIST/PARAM/KEY (#PCDATA) 


/ 
/ 
An input parameter name. 
/ 
t 


/POSTURE INFO LIST OUTPUT/REOUE PARAM LIST/PARAM/VALUE  (#PCDATA) 
parameter value. 

/POSTURE INFO LIST OUTPUT/REOUEST/POST. DATA (#PCDATA) 

The POST data, if any. 


Compliance Posture Information Output: Response 


XPath element specifications / notes 
/POSTURE INFO LIST OUTPU (REOUEST?, RESPONSE) 
/POSTURE INFO LIST OUTPUT/RESPONSE 


DATETIME, (INFO. LIST?, SUMMARY?, WARNING. LIST?, GLOSSARY?) | 
POLICY+)) 


/POSTURE INFO LIST OUTPUT/RESPONSE/DATETIME — (*PCDATA) 

The date and time of the response. 
/POSTURE_INFO_LIST_OUTPUT/RESPONSE/POLICY 

ID, DATETIME, INFO LIST?, SUMMARY?, WARNING_LIST?, GLOSSARY?) 
/POSTURE INFO LIST OUTPUT/RESPONSE/POLICY/ID (#PCDATA) 


The ID of a policy when “policy ids” was specified. 


354 


XPath 


Gualys API (VM, PC) XML/DTD Reference 
Chapter 9 - Compliance XML 


element specifications / notes 


AMOSINUINE NTE) ICSI 


/RES 


PONSE/POLICY/DATETIME (4PCDATA) 


The date and time when the policy's posture info was collected from the 
API user's account. 


/POSTURE INFO LIST. 


/RESPONSE/INFO. LIST 


(INFO+ 


/POSTURE_INFO_LIST_ 


/RESPONSE/INFO L 


(ID, HOST. ID, CONTROL 
REMEDIATION?, P 


PREVIOUS STATU 


FO 


_ID, TECHNOLOGY ID, INSTANCE?, STATUS, 
RE MODIFIED DATE?, EVALUATION_DATE?, 
RST. FAIL DATE?, LAST. FAIL DATE?, 


FIRST. PASS DATE?, LAST. PASS DATE?, EXCEPTION?, EVIDENCE?, 


GAUSE OF. FAILU 


/POSTU 


/RESPONSE/INFO L 


A compliance pos 


FO/ID  (*PCDATA) 


info record ID. 


/POSTU 


/RESPONSE/INFO_L 


FO/HOST_ID — (*PCDATA) 


A host ID for a compliance posture info record. 


An instance value 


/POSTU /RESPONSE/INFO_L FO/CONTROL_ID  (#PCDATA) 
A control ID for a lance posture info record. 
/POSTU /RESPONSE/INFO_L FO/INSTANCE (#PCDATA) 


compliance posture info record. 


/POSTU 


/RESPONSE/INFO_L 


FO/STATUS (#PCDATA 


A compliance status for a compliance posture info record: Passed, Failed or 


Error. Error is returned only for a custom control in the case where an error 


occurred during contro 


option was not se 


evaluation (and the ignore errors configuration 
for the control). 


/POSTU 


RESPONSE/INFO_L 


Remediation informati 


FO/REMEDIATION — (*PCDATA) 


on for a compliance posture info record. 


Date and time of 


/POSTU RESPONSE/INFO_L FO/EVALUATION_DATE (#PCDATA) 
Date and time of posture evaluation. 
/POSTU RESPONSE/INFO_L FO/POSTURE_MODIFIED_DATE (# PCDATA) 


ification for a compliance posture info record. 


/POSTU 


RESPONSE/INFO_L 


The previous status 


scan. 


FO/PREVIOUS STATUS (#PCDATA 


(passed or failed) of the controls before the compliance 


/POSTU 


RESPONSE/INFO_L 


FO/ FIRST. FAIL DATE (#PCDATA) 


In a set of compliance scans in which a control is failed in all the scans, this 
is the date and time of the first compliance scan in the set for the failed 


control. 


/POSTURE_INFO_LIST_ 


/RESPONSE/INFO_ 


LIST 


[/INFO/LAST_FAIL_DATE (#PCDATA) 


The latest or most recent date and time when the compliance scan failed 


for controls.. 


/POSTURE_INFO_LIST_OUTPU 


/RESPONSE/INFO_LIS1 


[/INFO/FIRST. PASS DATE (4PCDATA) 


In a set of compliance scans in which a control is passed in all the scans, 
this is the date and time of the first compliance scan in the set for the 


passed control. 
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/POSTURE INFO LIST OUTPUT/RESPONSE/INFO LIST/INFO/ LAST. PASS DATE (4PCDATA) 


The latest or most recent date and time when the compliance scan passed 
for controls. 


/POSTURE INFO LIST OUTPUT/RESPONSE/INFO. LIST/INFO/EXCEPTION 


(ASSIGNEE, STATUS, END. DATETIME?, CREATED?, LAST. MODIFIED?, 
COMMENT. LIST?) 
/POSTURE INFO LIST OUTPUT/RESPONSE/INFO LIST/INFO/EXCEPTION/ASSIGNEE (#PCDATA) 


An assignee for an exception for a compliance posture info record. 
/POSTURE INFO LIST OUTPUT/RESPONSE/INFO LIST/INFO/EXCEPTION/STATUS  (*PCDATA) 


(E, 
The status of an exception for a compliance posture info record: Pending 
approval), Accepted, Rejected or Expired. 


/POSTURE_INFO_LIST_OUTPUT/RESPONSE/INFO_LIST/INFO/EXCEPTION/END_DATETIME — (4PCDATA) 


The date/time when an exception for a compliance posture info record 
expires (ends). 


/POSTURE_INFO_LIST_OUTPUT/RESPONSE/INFO_LIST/ 


FO/EXCEPTION/CREATED (BY, DATETIME) 


The date/time when an exception for a compliance posture info record was 


N 
n 
created, and the user login ID of the user who created it. 
N 
n 


/POSTURE_INFO_LIST_OUTPUT/RESPONSE/INFO_LIST/INFO/EXCEPTION/LAST_MODIFIED (BY, DATETIME) 


The date/time when an exception for a compliance posture info record was 
ast modified, and the user login ID of the user who modified it. 


/POSTURE_INFO_LIST_OUTPUT/RESPONSE/INFO_LIST/INFO/EXCEPTION/COMMENT_LIS (COMMENT +) 


/POSTURE INFO LIST OUTPUT/RESPONSE/INFO. LIST/INFO/EXCEPTION/COMMENT. LIST/COMMENT 
DATETIME, BY, TEXT) 


The date/time when comments were entered for an exception fora 
compliance posture info record, the user login ID of the user who entered 
these comments, and the text of the comments entered. 


/POSTURE INFO LIST OUTPUT/RESPONSE/INFO LIST/INFO/EVIDENCE (BOOLEAN_EXPR, DPV LIST?) 
/POSTURE INFO LIST. OUTPUT/RESPONSE/INFO LIST/INFO/EVIDENCE/BOOLEAN EXPR  (*PCDATA) 


A Boolean expression string representing a data point rule for a control, 
which is used by the service to evaluate data point information gathered by 
the most recent compliance scan ofthe host. A data point rule is derived 
from a policy in the user's account. To understand why a posture info 
ecord has a Passed or Failed compliance status, take this boolean 
expression and plug in the data point “actual” values gathered from the 
most recent compliance scan in <DPV LIST> and “expected” values as 
defined in the policy in <FV LIST> or <TP LIST>. 


/POSTURE INFO LIST. OUTPUT/RESPONSE/INFO. LIST/INFO/EVIDENCE/EXTENDED. EVIDENCE 
(BOOLEAN_EXPR, DPV LIST?) 


The Extended Evidence includes any additional findings/information 
collected during the control evaluation on the host to support the actual 
result. 


/POSTURE INFO LIST OUTPUT/RESPONSE/INFO. LIST/INFO/EVIDENCE/STATISTICS | (BOOLEAN_EXPR, 
DPV LIST?) 


The Statistics will show information found during the control evaluation 
irrespective of whether the control Passed or Failed. 
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/POSTURE INFO LIST. OUTPUT/RESPONSE/INFO. LIST/INFO/EVIDENCE/EXTENDED STATISTICS. ERROR 
(BOOLEAN EXPR, DPV LIST?) 


The Extended Statistics Error will show the error message in case of any 
error found during the compliance scan. 


/POSTURE INFO LIST OUTPUT/RESPONSE/INFO LIST/INFO/EVIDENGCE/DPV. LIST  (DPV+) 
/POSTURE INFO LIST. OUTPUT/RESPONSE/INFO. LIST/INFO/EVIDENCE/DPV. LIST/DPV 
(LABEL, (ERROR|V)+, TM. REF?) 


attribute: lastUpdated astUpdated is the most recent date/time the datapoint was scanned. 
/POSTURE INFO LIST OUTPUT/RESPONSE/INFO. LIST/INFO/EVIDENCE/DPV. LIST/DPV/LABEL 
#PCDATA) 


A label for a data point in the data point rule. This is a service-generated 
value in the format :dp_x such as :dp_1, :dp_2, :dp_3... These labels are not 
persistent and change each time an API call is made. 


/POSTURE_INFO_LIST_OUTPUT/RESPONSE/INFO_LIST/INFO/EVIDENCE/DPV_LIST/DPV/ERROR 
#PCDATA) 


An error for a data point. The value NOT_FOUND is returned when a data 
point which is needed to evaluate a Boolean expression (in 
<BOOLEAN_EXPR>) was not detected on the host. When returned, no data 
point values are returned in <V> elements under <DPV_LIST>. 


/POSTURE_INFO_LIST_OUTPUT/RESPONSE/INFO_LIST/INFO/EVIDENCE/DPV_LIST/DPV/V (#PCDATA) 


” 


A data point “actual” value, as returned from the most recent compliance 
scan. 


/POSTURE_INFO_LIST_OUTPUT/RESPONSE/INFO_LIST/INFO/EVIDENCE/DPV_LIST/(#PCDATA|H]R)* 
/POSTURE_INFO_LIST_OUTPUT/RESPONSE/INFO_LIST/INFO/EVIDENCE/DPV_LIST/DPV/V/H 

Header name returned by the scan results. 
/POSTURE_INFO_LIST_OUTPUT/RESPONSE/INFO_LIST/INFO/EVIDENCE/DPV_LIST/DPV/V/R 
Row name returned by the scan results. 
/POSTURE_INFO_LIST_OUTPUT/RESPONSE/INFO_LIST/INFO/EVIDENCE/DPV_LIST/DPV/V/C 
Column name returned by the scan results. 
/POSTURE_INFO_LIST_OUTPUT/RESPONSE/INFO_LIST/INFO/EVIDENCE/DPV_LIST/DPV/TM_REF 
#PCDATA 


A translation context reference. This is a service-generated value in the 
format @tm_x such as @tm_1, @tm_2. @tm_3... These labels are not 
persistent and change each time an API call is made. 


/POSTURE_INFO_LIST_OUTPUT/RESPONSE/INFO_LIST/INFO/CAUSE_OF_FAILURE 
(DIRECTORY_FIM_UDC, UNEXPECTED?, MISSING?, ADDED_DIRECTORIES?, REMOVED_DIRECTORIES?, 
PERMISSON_CHANGED_DIRECTORIES?, CONTENT_CHANGED_DIRECTORIES?) 


/POSTURE_INFO_LIST_OUTPUT/RESPONSE/INFO_LIST/INFO/CAUSE_OF_FAILURE/ 
DIRECTORY_FIM_UDC (#PCDATA) 


Name of failed Directory Integrity Monitoring UDC (user defined control). 


/POSTURE_INFO_LIST_OUTPUT/RESPONSE/INFO_LIST/INFO/CAUSE_OF_FAILURE/ 
UNEXPECTED (V*) 


For failed Directory Integrity Monitoring UDC, cause of failure is one or 
more unexpected values as listed. 


/POSTURE_INFO_LIST_OUTPUT/RESPONSE/INFO_LIST/INFO/CAUSE_OF_FAILURE/ 
MISSING (V*) 
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more 


For fai 


ed Directory 
missing values as listed (with logic gi 


ntegrity Monitoring U 


DC, cause of failure is one or 
ven as value attribute). 


/POSTURE_INFO_LIST_OUTPUT/R 


ADDED. DIRECTORIES (V*) 


ESPON 


For fai 


SE/ 


ed Directory 
more added files/directories as listed. 


NFO. LIST/INFO/CA 


USE. (O)E 1% 


ntegrity Monitoring U 


LURE/ 


DC, cause of failure is one or 


/POSTURE_ 
REMOVED 


DIRECTORIES (V*) 


NFO LIST. OUTPUT/R 


more 


ESPON 


For fai 


SE/ 


ed Directory 
removed files/ 


NFO. LIST/INFO/CA 


directories 


USE OF FA 


ntegrity Monitoring U 
as listed. 


LURE/ 


DC, cause of failure is one or 


/POSTURE_ 


NFO_LIST_OUTPUT/R 
PERMISSON_CHANGED_DIRECTO 


ESPON 
RIES (V*) 


For fai 


SE/ 


ed Directory 
permissions changed on one or more 


NFO_LIST/INFO/CA 


USE_OF_FA 


ntegrity Monitoring U 


files/ 


LURE/ 


DC, cause of failure is 
directories as listed. 


/POST 


URE 
ENT_CHANGED_D 


NFO_LIST_OUTPU 
R 


T/R 
EGTOR 


ESPON 
ESTA 
For fai 
changed o 


SE/ 


ed Directory 
n one or more fi 


NFO. LIST/INFO/CA 


USE OF FA 


ntegrity Monitoring U 


LURE/ 


DC, cause of failure is content 
es/directories as listed. 


POST 


RE INFO LIST. OUTPU 


/RESPO 


NS 


E/INFO 


ST/SU 


MMARY 


TOTAL. 


AS 


SEIS; 


WAL, | 


ONTROLS, CONTROL INSTANCES) 


POST 


RE INFO LIST. OUTPU 


/RES 


Total 


PONS 


numbe 


E/INFO | 


O 


hos 


ST/SU 


ts eva 


E 
MMARY/ 


uated. 


OTAL ASSETS (4PCDATA) 


POST 


RE INFO LIST. OUTPU 


/RES 


PO 


Total 


S 


numbe 


E/INFO_ 


O 


con 


ST/SU 


MMARY/TO 


trols evaluated. 


¿LE 


ON 


ROLS 


(#PCDATA) 


POST 


OMAS eO@ Um 


/RES 


PONS 


TOTAL, 
KOTAS 


E/INFO_ 


TOTAL 
EXCE 


Balk 


MMARY/CONT 
DOLRATEEATEE, 


D, TOTA 


ES 
ROR, 


/RES 


PONS 


E/INFO 


MMARY/CONT 


instances eva 


ES/ 


FO LIST OUTPU 
D (#PCDATA) 


MMARY/CONT 


tances with 


passed s 


tatus. 


ES/ 


NFO LIST. OUTPU 
ED (#PCDATA 


MMARY/CONT 


instances with 


NSTANC 


iled status 


ES/ 


FO_LIST_OUTPU 
RROR (#PCDATA 


my 


MMARY/CONT 


instances with 


STANC 


status. 


ES/ 


PO 


REM OMAS pl) OT] 


_EXCEPTIONS (4PCDATA) 


/RES 


of 


con 


MMARY/CONT 


trol instances wit 


ptio 


NSTANG 


NS. 


ES/ 
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/POSTURE INFO LIST 


_OUTPU 


/RESPONS 


(SERIE 


DEDENS 


E/GLOSSARY 


ST?, HOST LIST, CONTROL LIST?, TECHNOLOGY LIST?, 
TE, PISTA E IST, MSIE) 


/POSTURE INFO LIST 


_OUTPU 


/RESPONS 


Al 


posture 


ist of users who cre 
associated with comp 
information output. 


E/GLOSSARY/USER_LI 


lance pos 


ST 


(USER+) 


ated, modified, or added comments to exceptions 
ture info records which are included in the 


/POST 


RE 


HO) JOSIE ©) 


/RESPONS 
USER_LOGIN, FIRST_NAME, LAST_NAME 


E/GLOSSARY/USER_L 


ST/U 


SER 


/POST 


RE 


NFO_LIST_O 


/RESPONS 


Auser login ID associated with an exception in a posture info record. 


E/GLOSSARY/USER_L 


ST/U 


SER  (*PCDATA) 


/POST 


RE 


NEOSHISIEO 


/RESPONS 


info re 


rhe first 


E/GLOSSARY/USER_L 


ST/FI 


RST NAME  (*PCDATA) 


name ofan accountuser associated with an exception in a posture 
cord. 


(POST 


RE 


NFO LIST 0 


UTPU 


/RESPONS 


The last 


E/GLOSSARY/USER_L 


ST/LAST NAME  (#PCDATA) 


name of an account user associated with an exception in a posture 
info record. 


/POST 


RES 


NFO_LIST_O 


UTPU 


/RESPONS 
A list of 
posture 


hosts in compliance p 
ist output. 


E/GLOSSARY/HOST. LIS 


(HOST+) 


osture info records which are included in the 


(POST 


RES 


NI) ILS (9) 


UTPU 


/RESPONS 


OG HOS 


LAST. COMPLIANC 


E/GLOSSARY/HOST. LIST/H 
ID, IP, TRACKING METHOD, D 


NS?, 


OST 
DNS_DATA?, NETBIOS?, OS?, OS_CPE?, 


TID?, ASSET_ID?, LAST_VULN_SCAN_DATETIME?, 


E_SCAN_DATET 


ME?, PERCENTAGE?) 


/POST 


RE 


NFO_LIST_O 


/RESPONS 
A host ID for a host in a postu 


E/GLOSSARY/HOST_L 


S 


OST/ID (#PCDATA) 


info record. 


/POST 


U 


RES 


INIFO)ILUS {© 


/RESPONS 
An IP address for a host in a p 


E/GLOSSARY/HOST_L 


OST/IP (#PCDATA) 


ture info record. 


OST 


RE 


LORE Sia© 


UTPU 


E/GLOSSARY/HOST_L 


king method for a host ina 


OST/TRACKING_METHOD (#PCDATA) 
posture info record: IP, DNS NETBIOS, or 


/POST 


RE 


KOMA SUS) 


UTPU 


/RESPONS 


E/GLOSSARY/HOST_L 


"he DNS user name for a host in 


OST/DNS  (#PCDATA) 


posture info record, when available. 


/POST 


RES 


NFO_LIST_O 


UTPU 


/RESPONS 
HOSTNAME?, DOMAIN?, FQD 


E/GLOSSARY/HOST_L 


S 
N? 


OST/DNS_DATA 


/POST 


RES 


NFO LIST 0 


UTPU 


/RESPONS 
[The DNS hostname for the asset. 


E/GLOSSARY/HOST_L 


OST/DNS_DATA/HOSTNAME (#PCDATA) 


/POST 


RE 


NFO_LIST_O 


/RESPONS 


E/GLOSSARY/HOST_L 


[The domain name for the asset. 


OST/DNS DATA/DOMAIN  (#PCDATA) 


(POST 


RE 


NFO LIST 0 


/RESPONS 


The Fully Qualified Domain N 


E/GLOSSARY/HOST_L 


OST/DNS_DATA/FQDN (#PCDATA) 
FQDN) for the asset. 


/POST 


RES 


OMAS MMS) 


/RESPONS 


E/GLOSSARY/HOST_L 


[The NetBIOS user name for a host i 


OST/NETBIOS (#PCDATA) 


na posture info record, when available. 
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/POSTURE INFO LIST OUTPUT/RESPONSE/GLOSSARY/HOST LIST/HOST/OS  (*PCDATA) 


The operating system detected on a host in a posture info record, when 
available. 


/POSTURE_INFO_LIST_OUTPUT/RESPONSE/GLOSSARY/HOST_LIST/HOST/OS_CPE (#PCDATA) 


[The OS CPE name assigned to the operating system detected on the host. 

(The OS CPE name appears only when the OS CPE feature is enabled for the 
subscription, and an authenticated scan was run on this host after enabling 
this feature.) 


/POSTURE_INFO_LIST_OUTPUT/RESPONSE/GLOSSARY/HOST_LIST/HOST/QG_HOSTID (#PCDATA) 


The Qualys host ID assigned by Qualys. This is unique and persistent per 
host. Qualys host ID is assigned when the host is scanned and agentless 
tracking is enabled, or when a cloud agent is installed, whichever happens 
first. 


/POSTURE_INFO_LIST_OUTPUT/RESPONSE/GLOSSARY/HOST_LIST/HOST/ASSET_ID (#PCDATA) 


The unique asset ID assigned to each host asset in your subscription. You'll 
see the asset ID in several Asset Management APIs. 


/POSTURE_INFO_LIST_OUTPUT/RESPONSE/GLOSSARY/HOST_LIST/HOST/ 


LAST_VULN_SCAN_DATETIME — (*PCDATA) 


The date/time when a vulnerability scan was most recently launched on a 
host in a compliance posture info record. 


/POSTURE_INFO_LIST_OUTPUT/RESPONSE/GLOSSARY/HOST_LIST/HOST/ 
LAST_COMPLIANCE_SCAN_DATETIME  (#PCDATA) 


The date/time when a compliance scan was most recently launched on a 
host in a compliance posture info record. 


/POSTURE_INFO_LIST_OUTPUT/RESPONSE/GLOSSARY/HOST_LIST/HOST/PERCENTAGE (#PCDATA) 


The percentage of controls that passed for the host. For example “85.71% 
84 of 98)” mean 85.71% of the controls passed, 84 controls passed and 98 
controls were evaluated). 


/POSTURE_INFO_LIST_OUTPUT/RESPONSE/GLOSSARY/CONTROL_LIS (CONTROL+) 


A list of compliance controls in compliance posture info records which are 
included in the posture information output. 


/POSTURE_INFO_LIST_OUTPUT/RESPONSE/GLOSSARY/CONTROL_LIST/CONTROL 


ID, STATEMENT, CRITICALITY?, REFERENCE?, DEPRECATED?, 
RATIONALE_LIST? 


/POSTURE_INFO_LIST_OUTPUT/RESPONSE/GLOSSARY/CONTROL_LIST/CONTROL/ID — (*PCDATA) 
A control ID. 
/POSTURE_INFO_LIST_OUTPUT/RESPONSE/GLOSSARY/CONTROL_LIST/CONTROL/STATEMENT 
HPCDATA) 
A control statement. 
/POSTURE_INFO_LIST_OUTPUT/RESPONSE/GLOSSARY/CONTROL_LIST/CONTROL/CRITICALITY 
(LABEL, VALUE) 
/POSTURE_INFO_LIST_OUTPUT/RESPONSE/GLOSSARY/CONTROL_LIST/CONTROL/CRITICALITY/LABEL 
(#PCDATA) 


A criticality label (e.g. SERIOUS, CRITICAL, URGENT) assigned to the 
control. 
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/POSTURE INFO LIST OUTPUT/RES 


(4PCDATA) 


A criticality value (0-5) assigned to the control. 


PONSE/GLOSSARY/CONTROL_LIST/CONTROL/CRITICALITY/VALUE 


ES 
HP 


/POSTURE INFO LIST. OUTPUT/R 


PONSE/GLOSSARY/CONTROL LIST/CONTROL/REFERENC 
CDATA) 


A control reference. This could be a CIS reference, STIG refe 
defined reference. 


ence or user 


/POSTURE_INFO_LIST_OUTPUT/RESPONSE/GLOSSARY/CONTROL_LIST/CONTROL/DEPRECATED 

(#PCDATA) 

The value 1 identifies a deprecated control. This element appears only for a 

deprecated control. 
/POSTURE_INFO_LIST_OUTPUT/RESPONSE/GLOSSARY/CONTROL_LIST/CONTROL/RATIONALE _LIST 

(RATIONALE") 
/POSTURE_INFO_LIST_OUTPUT/RESPONSE/GLOSSARY/CONTROL_LIST/ 

CONTROL/RATIONALE LIST/RATIONALE 
(TECHNOLOGY ID, TEXT) 
/POSTURE INFO LIST OUTPUT/RESPONSE/GLOSSARY/CONTROL LIST/ 
CONTROL/RATIONALE LIST/RATIONALE/TECHNOLOGY ID (#PCDATA) 

An ID for a technology associated with a control’s rationale.. 
/POSTURE_INFO_LIST_OUTPUT/RESPONSE/GLOSSARY/CONTROL_LIST/ 

CONTROL/RATIONALE LIST/RATIONALE/TEXT (#PCDATA) 

A text description associated with a control's rationale. 
/POSTURE INFO LIST OUTPUT/RESPONSE/GLOSSARY/TECHNOLOGY LIST (TECHNOLOGY+) 
/POSTURE INFO LIST. OUTPUT/RESPONSE/GLOSSARY/TECHNOLOGY LIST/TECHNOLOGY (ID, NAME) 
/POSTURE INFO LIST OUTPUT/RESPONSE/GLOSSARY/TECHNOLOGY LIST/TECHNOLOGY/ID 

(#PCDATA) 

An ID for a technology in a posture info record. 

/POSTURE_INFO_LIST_OUTPUT/RESPONSE/GLOSSARY/TECHNOLOGY_LIST/TECHNOLOGY/NAME 
(#PCDATA) 

Aname for a technology in a compliance posture info record. 
/POSTURE_INFO_LIST_OUTPUT/RESPONSE/GLOSSARY/DPD_LIST (DPD+) 
/POSTURE_INFO_LIST_OUTPUT/RESPONSE/GLOSSARY/DPD_LIST/DPD (LABEL, ID?, NAME?, DESC) 
/POSTURE_INFO_LIST_OUTPUT/RESPONSE/GLOSSARY/DPD_LIST/DPD/LABEL (#PCDATA) 

A service-defined, internal label for a data point. 
/POSTURE_INFO_LIST_OUTPUT/RESPONSE/GLOSSARY/DPD_LIST/DPD/ID? — (EPCDATA) 

A service-defined, ID for a data point. 

/POSTURE INFO LIST OUTPUT/RESPONSE/GLOSSARY/DPD LIST/DPD/NAME? (#PCDATA) 

A service-defined, name for a data point. 

/POSTURE INFO LIST OUTPUT/RESPONSE/GLOSSARY/DPD LIST/DPD/DESC  (#PCDATA) 

A description for a data point, which corresponds to a data point label in a 

<LABEL> element. 
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element specifications / notes 


/POSTURE INFO LIST 


_OUTPU 


/RESPONSE/GLOSSARY/TP_LIST (TP+) 


/POSTURE_INFO_LIST 


_OUTPU 


/RESPONSE/GLOSSARY/TP_LIST/TP (LABEL, V*) 


/POSTURE_INFO_LIS 


_OUTPU 


/RESPONSE/GLOSSARY/TP_LIST/TP/LABEL — (*PCDATA) 


A label for a data point text pattern as defined in a policy. This is a service- 
generated value $tp x such as $tp 1, $tp 2, $tp 3... The data point text 
pattern labels are not persistent and change each time an API call is made. 


/POSTURE_INFO_LIST 


_OUTPU 


/RESPONSE/GLOSSARY/TP_LIST/TP/V  (*PCDATA) 


A data point text pattern value in a policy. 


/POSTURE_INFO_LIS 


_OUTPU 


/RESPONSE/GLOSSARY/FV LIST  (FV+) 


/POSTURE INFO LIST 


_OUTPU 


/RESPONSE/GLOSSARY/FV_LIST/FV (LABEL, V*) 


/POSTURE_INFO_LIST_ 


OUTPU 


/RESPONSE/GLOSSARY/FV_LIST/FV/LABEL  (#PCDATA) 


A label for a fixed value selection in a policy. This is a service-generated 
value #fv_x such as #fv_1, #fv_2, #fv_3... The data point fixed value labels 
are not persistent and change each time an API call is made. 


/POSTURE_INFO_LIST 


COVERY 


/RESPONSE/GLOSSARY/FV_LIST/FV/V (#PCDATA) 


A data point fixed value selection in a policy. 


/POST 


PURE INFO LIST 


_OUTPU 


/RESPONSE/GLOSSARY/TM_LIST (TM+) 


/POST 


TURE_INFO_LIS 


_OUTPU 


/RESPONSE/GLOSSARY/TM_LIST/TM (LABEL, PAIR+) 


/POST 


PURE INFO LIST 


_OUTPU 


/RESPONSE/GLOSSARY/TM LIST/TM/LABEL  (*PCDATA) 


A translation context reference. This is a service-generated value in the 
format Otm xsuch as Otm 1, Otm 2. Otm 3... These labels are not 
persistent and change each time an API call is made. 


AROSI 


TURE INFO LIST. 


OUTPU 


/RESPONSE/GLOSSARY/TM LIST/TM/PAIR (K, V) 


/POST 


PURE INFO LIST 


(6) UE) 


/RESPONSE/GLOSSARY/TM LIST/TM/PAIR/K  (#PCDATA) 


A translation context key in a mapping pair. This represents a raw, 
untranslated value returned by the scanning engine. 


/POST 


PURE INFO LIST. 


OUTPU 


/RESPONSE/GLOSSARY/TM LIST/PAIR/V  (*PCDATA) 


A translation context value in a mapping pair. This represents the meaning 
associated with the raw value in the mapping pair. 


Compliance Posture Information Output: Warming 
XPath element specifications / notes 
/POSTURE_INFO_LIST_OUTPUT/RESPONSE/WARNING_LIST (WARNING+ 
/POSTURE INFO LIST OUTPUT/RESPONSE/WARNING  (CODE?, TEXT, URL?) 
/POSTURE INFO LIST OUTPUT/RESPONSE/WARNING/CODE — (4PCDATA) 
A warning code. A warning code appears when the API reguest identifies 
more than 5,000 records (compliance posture info records). 
/POSTURE INFO LIST OUTPUT/RESPONSE/WARNING/TEXT — (4PCDATA) 
A warning message. A warning message appears when the API reguest 
identifies more than 5,000 records (compliance posture info records). 
/POSTURE INFO LIST OUTPUT/RESPONSE/WARNING/URL  (#PCDATA) 


A URL for making another API request for the next batch of records 
(compliance posture info records). 
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Compliance Evidence 


This sections provides details about the compliance evidence information in the 
compliance posture information output (posture info output.dtd). 
Boolean Expression 


To understand why a control has a certain compliance status, take the boolean expression 
for a posture info record in this element: 


/POSTURE INFO LIST OUTPUT/RESPONSE/INFO LIST/INFO/EVIDENCE/BOOLEAN EXPR 


and plugin the data point “actual” values (such as :dp 1, :dp 2, :dp3, etc.) found in this 
element: 


/POSTURE INFO LIST OUTPUT/RESPONSE/INFO LIST/INFO/EVIDENCE/DPV. LIST 


and text pattern “expected” values (such as $tp 1, $tp2, $tp3, etc.) found in this element: 


/POSTURE INFO LIST OUTPUT/RESPONSE/GLOSSARY/TP LIST 


or fixed value selection “expected” values (such as ffv 1, #fv_2, ffv 3, etc.) found in this 
element: 


/POSTURE INFO LIST OUTPUT/RESPONSE/GLOSSARY/FV. LIST 


Boolean Expression: Data Type Operators 
The following operators may be used to construct a Boolean expression string. The 
operators are specific to the data type of the data point value. 


For all operator descriptions: X is the “actual” data point value (in the most recent scan 
results) compared to Y which is the “expected” value (in a policy). 


Operator Description Data Type Example 

> XisgreaterthanY Integer :dp_1>3 

< X is less than Y Integer dp 1<5 

>= Xis greater than Integer :dp_2 >= 4 
or equal to Y 

<= X is less than or Integer :dp_2 <=2 
equal to Y 

== X is equal to Y nteger :dp_1 == 

!(X) X not equal to Y nteger \(:dp_1 > 5) 

matches X matches Y Regular :dp_4 matches $tp 1 

Expression 


Boolean Expression: Cardinality Operators 
The following cardinality operators may be used to construct a Boolean expression string. 


A cardinality operator is used to: 
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- Compare multiple “actual” values to a single “expected” value for a control 
- Compare multiple “actual” values to multiple “expected” values for a control 


For all cardinality operator descriptions: X is the “actual” data point value (in the most 
recent scan results) compared to Y which is the “expected” value (in a policy). 


Gardinality Description Data Type in List Example 
Operator 
match_any Match any X in Y nteger :dp_1 match any $tp_5 
Regular 
Expression 
match_all Match all X in Y nteger :dp_1 match all $tp_5 
Regular 
Expression 
empty X is empty Integer :dp_8 empty 
Regular 
Expression 
not_empty X is not empty nteger :dp_8 not_empty 
Regular 
Expression 
contains X contains allofY Integer :dp_2 contains $tp 2 
Regular 
Expression 
does_not_contai X does not Integer :dp_2 does_not_contain 
n contain any of Y Regular $tp_1 
Expression 
intersect Any value in X Integer :dp_3 intersect $tp_5 
matches any Regular 
value in Y Expression 
matches All values in X Integer :dp_3 matches $tp_2 
match all values Regular 
in Y Expression 
is contained in All values in Xare Integer :dp_9 is_contained_in $tp 3 
contained in Y Regular 
Expression 


Boolean Expression: Logical Grouping Operators 


The following logical grouping operators may be used to construct a Boolean expression 
string. 


For all operator descriptions: X is the “actual” data point value (in the most recent scan 
results) compared to Y which is the “expected” value (in a policy). 
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Operator Description Example 

(X) Evaluates subexpression X before (:dp_1 > 5) 
evaluating anything outside of the 
parentheses 

and Combines two logical subexpressions  (:dp_1< 4) and (:dp_1 > 8) 
(ANDed) 

or Combines two logical subexpressions  (:dp_1< 4) or (:dp_1 > 8) 
(ORed) 


Control Values 


Certain values appear in data point control values, for example registry permissions and 
file/directory permissions. For information on control values, log into your Qualys account 


and search for “control values” in online help. 
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<platform API server>/api/2.0/fo/report/?action=fetch 


DTD for Compliance Policy Report 


<platform API server>/compliance_policy_report.dtd 


A recent DTD is shown below. 
<?xml version="1.0" encoding="UTF-8"?> 
<!-- QUALYS COMPLIANCE POLICY REPORT DTD --> 
<!-- SRevision$ --> 
<!ELEMENT COMPLIANCE POLICY REPORT (ERROR | (HEADER, (SUMMARY), 
(RESULTS) ) )> 
<!ELEMENT ERROR (#PCDATA) > 
<!ATTLIST ERROR number CDATA #IMPLIED> 
<!ELEMENT HEADER (NAME, GENERATION DATETIME, COMPANY INFO, USER INFO, 
FILTERS) > 
<!ELEMENT NAME (#PCDATA)> 
<!ELEMENT GENERATION DATETIME (#PCDATA) > 
<!ELEMENT COMPANY INFO (NAME, ADDRESS, CITY, STATE, COUNTRY, ZIP CODE) > 
<!ELEMENT ADDRESS (#PCDATA) > 
<!ELEMENT CITY (#PCDATA) > 
<!ELEMENT STATE (#PCDATA) > 
<!ELEMENT COUNTRY (#PCDATA) > 
<!ELEMENT ZIP CODE (#PCDATA) > 
<!ELEMENT USER INFO (NAME, USERNAME, ROLE) > 
<!ELEMENT USERNAME (#PCDATA) > 
<!ELEMENT ROLE (#PCDATA) > 
<!ELEMENT FILTERS (POLICY, POLICY LOCKING?, ASSET GROUPS?, IPS?, 
HOST INSTANCE?, ASSET TAGS?, PC AGENT IPS?, POLICY LAST EVALUATED) > 
<!ELEMENT POLICY (#PCDATA) > 
<!ELEMENT POLICY LOCKING (#PCDATA) > 
<!ELEMENT ASSET GROUPS (ASSET _GROUP*) > 
<!ELEMENT ASSET GROUP (ID, NAME) > 
<!ELEMENT IPS (IP LIST?, NEWWORK?) > 
<!ELEMENT IP LIST (IP*)> 
<!ELEMENT NEWWORK (#PCDATA) > 
<!ELEMENT INCLUDED TAGS (SCOPE, TAGS) > 
<!ELEMENT EXCLUDED TAGS (SCOPE, TAGS) > 
<!ELEMENT TAGS (NAME*) > 
<!ELEMENT SCOPE (#PCDATA) > 


366 


Gualys API (VM, PC) XML/DTD Reference 
Chapter 9 - Compliance XML 


<!ELEMENT HOST INSTANCE (IP?, INSTANCE?) > 

<!ELEMENT PC AGENT IPS (#PCDATA) > 

<!ELEMENT POLICY LAST EVALUATED (#PCDATA) > 

<!ELEMENT SUMMARY (TOTAL ASSETS, TOTAL CONTROLS, CONTROL INSTANCES, 
CONTROLS SUMMARY?, HOST STATISTICS?) > 

<!ELEMENT CONTROL INSTANCES (TOTAL, TOTAL PASSED, TOTAL FAILED, 
TOTAL ERROR, TOTAL EXCEPTIONS) > 

<!ELEMENT TOTAL (#PCDATA) > 

<!ELEMENT TOTAL ASSETS (#PCDATA) > 

<!ELEMENT TOTAL CONTROLS (#PCDATA) > 

<!ELEMENT TOTAL PASSED (#PCDATA) > 

<!ELEMENT TOTAL FAILED (#PCDATA) > 

<!ELEMENT TOTAL ERROR (#PCDATA) > 

<!ELEMENT TOTAL EXCEPTIONS (#PCDATA) > 

<!ELEMENT CONTROLS SUMMARY (CONTROL INFO*) > 

<!ELEMENT CONTROL INFO (ORDER, CONTROL ID, STATEMENT, CRITICALITY?, 
PERCENTAGE, DEPRECATED?) > 

<!ELEMENT CONTROL ID (#PCDATA) > 

<!ELEMENT ORDER (#PCDATA) > 

<!ELEMENT PERCENTAGE (#PCDATA) > 

<!ELEMENT CRITICALITY (LABEL, VALUE) > 

<!ELEMENT DEPRECATED (#PCDATA) > 

<!ELEMENT RESULTS ( HOST LIST, CHECKS?, DP DESCRIPTIONS?) > 
<!ELEMENT HOST LIST (HOST*) > 

<!ELEMENT HOST (TRACKING METHOD, QG HOSTID?, IP, DNS?, NETBIOS?, 
OPERATING SYSTEM?, OS CPE?, LAST SCAN DATE?, TOTAL PASSED, TOTAL FAILED, 
TOTAL ERROR, TOTAL EXCEPTIONS, ASSET TAGS?, CONTROL LIST, NETWORK?) > 
<!ELEMENT CHECKS (CHECK*) > 

<!ELEMENT CHECK (NAME, DP NAME, EXPECTED, ACTUAL, ADDED DIRECTORIES?, 
REMOVED DIRECTORIES?, PERMISSON CHANGED DIRECTORIES?, 

CONTENT CHANGED DIRECTORIES?, PERMISSION TRANSLATION?, 

EXTENDED EVIDENCE?, STATISTICS?) > 

<!ELEMENT DP NAME (#PCDATA) > 

<!ELEMENT EXTENDED EVIDENCE (4PCDATA) > 

<!ELEMENT STATISTICS (STATS*, SEARCH DURATION?, ERRORS?) > 
<!ELEMENT EVALUATION (#PCDATA) > 

<!ELEMENT EXPECTED (V*, CRITERIA?) > 

<!ATTLIST EXPECTED logic CDATA #FIXED "OR"> 

<!ELEMENT CRITERIA (EVALUATION, V*)> 

<!ELEMENT ACTUAL (V*)> 

<!ELEMENT V (#PCDATA) > 

<!ATTLIST ACTUAL lastUpdated CDATA #IMPLIED> 

<!ELEMENT ADDED DIRECTORIES (V*)> 

<!ELEMENT REMOVED DIRECTORIES (V*)> 

<!ELEMENT PERMISSON CHANGED DIRECTORIES (V*)> 

<!ELEMENT CONTENT CHANGED DIRECTORIES (V*)> 
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<!ELEMENT PERMISSION TRANSLATION (PAIR+) > 
<!ELEMENT PAIR (K, V)> 
<!ELEMENT K (#PCDATA) > 


N 
Y 
Fr 
T 
a 
3 
3 
J 


P DESCRIPTIONS (DP*)> 
P (DP NAME, DESCRIPTION, SCAN PARAMETERS?) > 
ESCRIPTION (#PCDATA) > 


A 
T 
Fr 
T 
Zz 
3 
CO 


A 
x 
Fr 
T 
2 
3 
3 
J 


T SCAN_PARAMETERS (PARAM*)> 
T PARAM (LABEL, VALUE)> 

T LABEL (#PCDATA)> 

T VALUE (#PCDATA)> 


42234284 


T TRACKING METHOD (#PCDATA) > 
IP (#PCDATA) > 
QG HOSTID (#PCDATA) > 

T DNS (#PCDATA) > 
N 
O 


ETBIOS (#PCDATA) > 

PERATING SYSTEM (#PCDATA) > 
T OS CPE (#PCDATA) > 

T LAST SCAN DATE (#PCDATA) > 

T ASSET TAGS (ASSET TAG* | (INCLUDED TAGS?, EXCLUDED TAGS?) ) > 
T ASSET TAG (#PCDATA) > 


a AU AUAAA 


<!ELEMENT CONTROL LIST (CONTROL*) > 
<!ELEMENT CONTROL (CID, STATEMENT, CRITICALITY?, CONTROL REFERENCES?, 
DEPRECATED?, RATIONALE?, INSTANCE?, STATUS, REMEDIATION?, 
CAUSE OF FAILURE?, TECHNOLOGY, EVALUATION DATE?, PREVIOUS STATUS?, 
FIRST FAIL DATE?, LAST FAIL DATE?, FIRST PASS DATE?, LAST PASS DATE?, 
EVIDENCE ?, EXCEPTION?, CONTROL COMMENTS?) > 

<!ELEMENT CID (#PCDATA) > 
<!ELEMENT STATEMENT (#PCDATA) > 
<!ELEMENT CONTROL REFERENCES (#PCDATA) > 
<!ELEMENT RATIONALE (#PCDATA) > 
<!ELEMENT STATUS (#PCDATA) > 
<!ELEMENT REMEDIATION (#PCDATA) > 
<!ELEMENT CAUSE OF FAILURE (UNEXPECTED?, MISSING?) > 
<!ELEMENT UNEXPECTED (V*)> 

<!ELEMENT MISSING (V*)> 
<!ATTLIST MISSING logic CDATA #FIXED "OR"> 
<!ELEMENT TECHNOLOGY (ID, NAME) > 

<!ELEMENT ID (#PCDATA) > 
<!ELEMENT EVALUATION DATE (#PCDATA) > 

<!ELEMENT INSTANCE (#PCDATA) > 

<!ELEMENT EVIDENCE (#PCDATA) > 

<!ELEMENT EXCEPTION (ASSIGNEE, STATUS, END DATE, CREATED BY, CREATED DATE, 
MODIFIED BY, MODIFIED DATE, COMMENT LIST?) > 

<!ELEMENT ASSIGNEE (#PCDATA) > 

<!ELEMENT END DATE (#PCDATA) > 

<!ELEMENT CREATED BY (#PCDATA) > 

<!ELEMENT CREATED DATE (#PCDATA) > 

<!ELEMENT MODIFIED BY (#PCDATA) > 

<!ELEMENT MODIFIED DATE (#PCDATA) > 

<!ELEMENT COLUMN NAME (#PCDATA) > 


H 
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<!ELEMENT CONTROL COMMENTS (#PCDATA) > 

<!ELEMENT NETWORK (#PCDATA) > 

<!ELEMENT COMMENT LIST (COMMENT+) > 

<!ELEMENT COMMENT (DATETIME, BY, TEXT) > 

<!ELEMENT TEXT (#PCDATA) > 

<!ELEMENT DATETIME (#PCDATA) > 

<!ELEMENT BY (#PCDATA) > 

<!ELEMENT HOST STATISTICS (HOST INFO*)> 

<!ELEMENT HOST INFO (IP, TRACKING METHOD, QG HOSTID?, DNS, NETBIOS, 
OPERATING SYSTEM, LAST SCAN DATE, PERCENTAGE, 

NETWORK?, HOST ID?, CLOUD PROVIDER?, CLOUD SERVICE?, CLOUD RESOURCE ID?, CLOUD 
- RESOURCE TYPE?, CLOUD ACCOUNT ID?, 

CLOUD IMAGE ID?,CLOUD RESOURCE INFO?) > 

<!ELEMENT CLOUD RESOURCE INFO (PUBLIC IP ADDRESS?, PRIVATE IP ADDRESS?, 
VPC_ID?, SUBNET ID?, INSTANCE TYPE?, INSTANCE STATE?, REGION CODE?, 
AVAILABILITY ZONE?, PRIVATE DNS NAME?, PUBLIC DNS NAME? , GROUP ID?, 
GROUP NAME?, RESERVATION ID?, IS SPOT INSTANCE?, LOCAL HOSTNAME?, 
MAC ADDRESS?) > 

<!ELEMENT STATS (#PCDATA) > 

<!ELEMENT SEARCH DURATION (#PCDATA) > 

<!ELEMENT ERRORS (#PCDATA) > 

<!ELEMENT HOST ID (#PCDATA) > 

<!ELEMENT CLOUD PROVIDER (#PCDATA) > 

<!ELEMENT CLOUD SERVICE (#PCDATA) > 

<!ELEMENT CLOUD RESOURCE ID (#PCDATA) > 

<!ELEMENT CLOUD RESOURCE TYPE (#PCDATA) > 

<!ELEMENT CLOUD ACCOUNT ID (#PCDATA) > 

<!ELEMENT CLOUD IMAGE ID (#PCDATA) > 

<!ELEMENT PUBLIC DNS NAME (#PCDATA) > 

<!ELEMENT VPC ID (#PCDATA)> 

<!ELEMENT INSTANCE STATE (4PCDATA) > 

<!ELEMENT PRIVATE DNS NAME (#PCDATA) > 

<!ELEMENT INSTANCE TYPE (#PCDATA) > 

<!ELEMENT REGION CODE (#PCDATA) > 

<!ELEMENT SUBNET ID (#PCDATA) > 

<!ELEMENT AVAILABILITY ZONE (#PCDATA) > 

<!ELEMENT PRIVATE IP ADDRESS (#PCDATA) > 

<!ELEMENT PUBLIC IP ADDRESS (#PCDATA) > 

<!ELEMENT GROUP ID (#PCDATA) > 

<!ELEMENT GROUP NAME (#PCDATA) > 

<!ELEMENT RESERVATION ID (#PCDATA) > 

<!ELEMENT LOCAL HOSTNAME (#PCDATA) > 

<!ELEMENT IS SPOT INSTANCE (#PCDATA) > 

<!ELEMENT MAC ADDRESS (#PCDATA) > 
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XPaths for Compliance Policy Report 


XPath element specifications / notes 
/COMPLIANGCE POLICY REPORT (ERROR | (HEADER, (SUMMARY), (RESULTS))) 


/COMPLIANCE POLICY REPORT/ERROR  (#PCDATA) 


An error message. 


attribute: number An error code, when available 
/COMPLIANCE_POLICY_REPORT/HEADER 
NAME, GENERATION_DATETIME, COMPANY_INFO, USER_INFO, FILTERS) 
/COMPLIANCE POLICY REPORT/HEADER/NAME  (#PCDATA) 


The report title as provided by the user at the time the report was 
generated. If a report title was not provided, then the report template title 
appears. 


/COMPLIANCE POLICY REPORT/HEADER/GENERATION DATETIME (#PCDATA) 


The date and time when the report was generated. 
/COMPLIANCE. POLICY REPORT/HEADER/COMPANY INFO 
(NAME, ADDRESS, CITY, STATE, COUNTRY, ZIP CODE) 


The user's company name and address, as defined in the user's account. 
/COMPLIANCE. POLICY. REPORT/HEADER/USER INFO (NAME, USERNAME, ROLE) 
/COMPLIANCE. POLICY. REPORT/HEADER/USER. INFO/NAME (#PCDATA) 


The name of the user who generated the report. 
/COMPLIANCE POLICY REPORT/HEADER/USER INFO/USERNAME  (#PCDATA) 


The user login ID of the user who generated the report. 
/COMPLIANCE POLICY REPORT/HEADER/USER INFO/ROLE (#PCDATA) 


[he user role assigned to the user who generated the report: Manager, Unit 
Manager, Auditor, Scanner, or Reader. 


/COMPLIANCE_POLICY_REPORT/HEADER/FILTERS (POLICY, POLICY_LOCKING?, ASSET_GROUPS?, IPS?, 


HOST_INSTANCE?, ASSET_TAGS?, PC_AGENT_IPS?, POLICY_LAST_EVALUATED) 
/COMPLIANCE_POLICY_REPORT/HEADER/FILTERS/POLICY (#PCDATA) 

The title of the policy included in the report. 
/COMPLIANCE_POLICY_REPORT/HEADER/FILTERS/POLICY_LOCKING (#PCDATA) 

The locking status for the policy included in the report: Locked or Unlocked. 
/COMPLIANCE_POLICY_REPORT/HEADER/FILTERS/ASSET_GROUPS (ASSET. GROUP?) 

/COMPLIANCE POLICY REPORT/HEADER/FILTERS/ASSET. GROUPS/ASSET. GROUP (ID, NAME) 

/COMPLIANCE POLICY REPORT/HEADER/FILTERS/ASSET. GROUPS/ASSET. GROUP/ID (#PCDATA) 

P of the asset group in the report. 
/COMPLIANCE. POLICY REPORT/HEADER/FILTERS/ASSET. GROUPS/ASSET. GROUP/NAME (#PCDATA) 
Name of the asset group in the report. 
/COMPLIANCE POLICY REPORT/HEADER/FILTERS/IPS (IP LIST?, NETWORK?) 
/COMPLIANCE POLICY REPORT/HEADER/FILTERS/IPS/IP LIST (IP) 
/COMPLIANCE POLICY REPORT/HEADER/FILTERS/IPS/IP LIST/IP (#PCDATA) 
P in the report. 
/COMPLIANCE POLICY REPORT/HEADER/FILTERS/IPS/NETWORK (#PCDATA) 
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XPath element specifications / notes 
Network of the IPs in the report. 


/COMPLIANCE POLICY REPORT/HEADER/FILTERS/HOST. INSTANGCE (IP?, INSTANCE?) 
/COMPLIANCE POLICY REPORT/HEADER/FILTERS/HOST INSTANCE/IP (4PCDATA) 


P of host instance in report. 
/COMPLIANCE_POLICY_REPORT/HEADER/FILTERS/HOST_INSTANCE/INSTANCE (#PCDATA) 


D of host instance in report. 
/COMPLIANCE POLICY REPORT/HEADER/FILTERS/ASSET. TAGS (INCLUDED. TAGS?) 

/COMPLIANCE. POLICY REPORT/HEADER/FILTERS/ASSET. TAGS/INCLUDED TAGS (SCOPE, TAGS) 
/COMPLIANCE POLICY REPORT/HEADER/FILTERS/ASSET. TAGS/INCLUDED TAGS/SCOPE (#PCDATA) 


mi 


Tag selection scope for included tags i.e. any, all etc. 
/COMPLIANCE POLICY REPORT/HEADER/FILTERS/ASSET. TAGS/INCLUDED. TAGS/TAGS (NAME*) 


/COMPLIANCE. POLICY REPORT/HEADER/FILTERS/ASSET. TAGS/INCLUDED. TAGS/TAGS/ 
NAME (4PCDATA) 


EH 


Tag name of included tag. 
/COMPLIANCE_POLICY_REPORT/HEADER/FILTERS/ASSET_TAGS (EXCLUDED_TAGS?) 
/COMPLIANCE_POLICY_REPORT/HEADER/FILTERS/ASSET_TAGS/EXCLUDED_TAGS (SCOPE, TAGS) 


/COMPLIANCE_POLICY_REPORT/HEADER/FILTERS/ASSET_TAGS/EXCLUDED_TAGS/SCOPE (4PCDATA) 


Tag selection scope for excluded tags Le. any, all etc. 
/COMPLIANCE_POLICY_REPORT/HEADER/FILTERS/ASSET_TAGS/EXCLUDED_TAGS/TAGS (NAME”) 


/COMPLIANCE_POLICY_REPORT/HEADER/FILTERS/ASSET_TAGS/EXCLUDED_TAGS/TAGS/ 
NAME (#PCDATA) 


Tag name of excluded tag. 
/COMPLIANCE_POLICY_REPORT/HEADER/FILTERS/PC_AGENT_IPS (#PCDATA) 


Flag indicating whether IPs have agents installed with PC enabled. 
/COMPLIANCE_POLICY_REPORT/HEADER/FILTERS/POLICY_LAST_EVALUATED  (*PCDATA) 


The date and time the policy included in the report was last evaluated. 
/COMPLIANCE_POLICY_REPORT/SUMMARY 


(TOTAL_ASSETS, TOTAL_CONTROLS, CONTROL_INSTANCES, 
CONTROLS_SUMMARY?, HOST_STATISTICS?) 


/COMPLIANCE_POLICY_REPORT/SUMMARY/TOTAL_ASSETS  (*PCDATA) 
The number of hosts in the policy. 


/COMPLIANCE_POLICY_REPORT/SUMMARY/TOTAL_CONTROLS  (#PCDATA) 


The number of controls in the policy. 
/COMPLIANCE_POLICY_REPORT/SUMMARY/CONTROL_INSTANCES 


(TOTAL, TOTAL_PASSED, TOTAL_FAILED, TOTAL_ERROR, 
OTAL_EXCEPTIONS) 


/COMPLIANCE_POLICY_REPORT/SUMMARY/CONTROL_INSTANCES/TOTAL  (#PCDATA) 


The number of control instances in the report (sum of passed and failed 
instances). 


/COMPLIANCE_POLICY_REPORT/SUMMARY/CONTROL_INSTANCES/TOTAL_PASSED (#PCDATA) 


The number of control instances with a Passed status in the report. 
/COMPLIANCE POLICY REPORT/SUMMARY/CONTROL INSTANCES/TOTAL FAILED  (*+PCDATA) 
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XPath element specifications / notes 


[he number of control instances with a Failed status in the report. 


/COMPLIANCE_POLICY_REPORT/S 


UMMARY/CONTROL INSTANCES/TOTAL ERROR — (*PCDATA) 


[he number of control instances with an Error status in the report. An error 


status is returned for a custom control only in the case where an error 
occurred during control evaluation (and the ignore errors configuration 


option was not selected for the control). 


/COMPLIANCE_POLICY_REPORT/SUMMARY/CONTROL_INSTANCES/TOTAL_EXCEPTIONS (#PCDATA) 


The number of approved and pending exceptions in the policy report. 


/COMPLIANCE_POLICY_REPORT/SUMMARY/CONTROLS_SUMM. 


RY (CONTROL_INFO*) 


DEPRECATED? 


A 
/COMPLIANCE_POLICY_REPORT/SUMMARY/CONTROLS_SUMMARY/CONTROL_INFO 
M 


RDER, CONTROL_ID, STATEMENT, CRITICALITY?, PERCENTAGE, 


/COMPLIANCE_POLICY_REPORT/SUMMARY/CONTROLS_SUMMARY/CONTROL_INFO/ORDER 


(#PCDATA) 


[he order number of the control in the policy. Controls in section 1 are 
numbered 1.1, 1.2, 1.3, and so on. Controls in section 2 are numbered 2.1, 
2.2, 2.3, and so on. 


/COMPLIANCE. POLICY REPORT/SUMMARY/CONTROLS. SUMMARY/CONTROL INFO/CONTROL ID 


(#PCDATA) 


[he control ID number assigned to the control. 


/COMPLIANCE_POLICY_REPORT/SUMMARY/CONTROLS_SUMMARY/CONTROL_INFO/STATEMENT 


(#PCDATA) 


[he control statement that describes how a technology specific item should 
be implemented in the environment. 


/COMPLIANCE_POLICY_REPORT/SUMMARY/CONTROLS_SUMMARY/CONTROL_INFO/CRITICALITY 


(LABEL, VALUE) 


/COMPLIANCE_POLICY_REPORT/SUMMARY/CONTROLS_SUMMARY/CONTROL_INFO/CRITICALITY/ 


LABEL (#PCDATA 


A criticality label (e.g. SERIOUS, CRITICAL, URGENT) assigned to the 
control. 


/COMPLIANCE_POLICY_REPORT/SUMMARY/CONTROLS_SUMMARY/CONTROL_INFO/CRITICALITY/ 


VALUE (#PCDATA 


A criticality value (0-5) assigned to the control. 


/COMPLIANCE_POLICY_REPORT/SUMMARY/CONTROLS_SUMMARY/CONTROL_INFO/PERCENTAGE 


(#PCDATA) 


The percentage of hosts that passed for the control. For example, a value of 
“50% (3 of 6)” indicates that the control passed on 3 of the 6 hosts included 
in the report. 


/COMPLIANCE_POLICY_REPORT/SUMMARY/CONTROLS_SUMMARY/CONTROL_INFO/DEPRECATED 


(#PCDATA) 


The value 1 identifies a deprecated control. This element appears only for a 
deprecated control. 


/COMPLIANCE_POLICY_REPORT/RESULTS (HOST_LIST, CHECKS?, DP_DESCRIPTIONS?) 


/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST (HOST') 
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/COMPLIANCE POLICY REPORT/RESULTS/HOST. LIST/HOST 


OPERATING SYSTEM?, OS CPE?, LAST SCAN DATE?,TOTAL PASSED, 
TOTAL FAILED, TOTAL ERROR, TOTAL EXCEPTIONS, ASSET_TAGS?, 
CONTROL LIST, NETWORK?) 


(TRACKING METHOD, OG HOSTID?, IP, DNS?, NETBIOS?, 


/COMPLIANGCE POLICY REPOR 


/RESULTS/HOST. LIST/HOST/TRACKING. METHOD (#PCDATA) 
The tracking method for the host: IP, DNS, NetBIOS, or AGENT. 


/COMPLIANCE_POLICY_REPOR 


/RESULTS/HOST_LIST/HOST/IP  (#PCDATA) 


The IP address for the host. 


/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/QG_HOSTID (#PCDATA) 


The Qualys host ID assigned by Qualys. This is unique and persistent per 
host. Qualys host ID is assigned when the host is scanned and agentless 
tracking is enabled, or when a cloud agent is installed, whichever happens 
first. 


RT/RESULTS/HOST LIST/HOST/DNS (#PCDATA) 


The DNS hostname for the host, when available. 


/RESULTS/HOST. LIST/HOST/NETBIOS (#PCDATA) 
The NetBIOS hostname for the host, when available 


/RESULTS/HOST. LIST/HOST/OPERATING SYSTEM  (#PCDATA) 


[The operating system detected on the host. 


RT/RESULTS/HOST_LIST/HOST/OS_CPE (#PCDATA) 


The OS CPE name assigned to the operating system detected on the host. 
(The OS CPE name appears only when the OS CPE feature is enabled for the 
subscription, and an authenticated scan was run on this host after enabling 
this feature.) 


RT/RESULTS/HOST_LIS 


OST/LAST SCAN DATE — (4PCDATA) 


RT/RESULTS/HOST. LIST 


OST/ASSET. TAGS (ASSET_TAG*) 


/ 

The date and time the host was last scanned for compliance. 
/ 
/ 


/RESULTS/HOST_LIS OST/ASSET. TAGS/ASSET TAG  (#PCDATA) 


An assettag assigned to the host when the Asset Tagging feature is enabled 
in the user's account. 


/RESULTS/HOST LIST/HOST/TOTAL PASSED  (*PCDATA) 


[The number of control in the policy that Passed on the host. 


RT/RESULTS/HOST. LIST/HOST/TOTAL FAILED  (*PCDATA) 


The number of controls in the policy that Failed on the host. 


RT/RESULTS/HOST LIST/HOST/TOTAL ERROR  (#PCDATA) 


[The number of custom controls in the policy that were assigned the Error 
status on the host, because an error during control evaluation. 


RT/RESULTS/HOST_LIST/HOST/TOTAL_EXCEPTIONS (#PCDATA) 


[he number of approved and pending exceptions on the host. This includes 
control instances with the Failed and Error status. 
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/COMPLIANCE POLICY REPORT/RESULTS/HOST. LIST/HOST/CONTROL LIS (CONTROL?) 
/COMPLIANCE. POLICY. REPORT/RESULTS/HOST. LIST/HOST/CONTROL LIST/CONTROL 


(CID, STATEMENT, CRITICALITY?, CONTROL REFERENCES?, DEPRECATED?, 


RATIONALE?, INSTANCE?, STATUS, REMEDIATION?, TECHNOLOGY, 

EVALUATION_DATE?, EVIDENCE?, EXCEPTION?, CONTROL COMMENTS?) 
/COMPLIANCE. POLICY REPORT/RESULTS/HOST. LIST/HOST/CONTROL LIST/CONTROL/CID 

(#PCDATA) 

The control ID number assigned to the control. 
/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/CONTROL_LIST/CONTROL/ 
STATEMENT (#PCDATA) 

The control statement that describes how a technology specific item should 

be implemented in the environment. 
/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/CONTROL_LIST/CONTROL/CRITICALITY 

(LABEL, VALUE) 
/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/CONTROL_LIST/CONTROL/CRITICALITY/ 
LABEL (#PCDATA) 

A criticality label (e.g. SERIOUS, CRITICAL, URGENT) assigned to the 

control. 
/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/CONTROL_LIST/CONTROL/CRITICALITY/ 
VALUE (#PCDATA) 

A criticality value (0-5) assigned to the control. 
/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/CONTROL_LIST/CONTROL/ 


CONTROL_ 


REFERENCES (#PCDATA) 


User-defined references, added 


interface. 


to the control usi 


ng the Qualys user 


/COMPLIANCE_POLICY_REPORT/RESUL 


DEPRECATED  (#PCDATA) 


S/HOST_LIST/HOST/CONTROL_LIST/CON 


ROL/ 


The value 1 identifies a deprecated control. This element appears only for a 
deprecated control. 


/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/CON 
(#PCDATA) 


A rationale statement that descr. 


implemented for the technology. 


ROL_LIS 


ibes how 


/CONTROL/RATIONALE 


the control should be 


/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/CONTROL_LIST/CONTROL/INSTANCE 
(#PCDATA) 

Instance information for an Oracle host in this format: Oracle technology 

version:SID:port. For example: Oracle10:ora102030p:1521. 
/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/CONTROL_LIST/CONTROL/STATUS 

(#PCDATA) 

The status for the control on the host: Passed, Failed or Error. 
/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/CONTROL_LIST/CONTROL/ 
REMEDIATION (#PCDATA) 

Remediation information for the control. 
/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/CONTROL_LIST/CONTROL/ 


TECHNOLOGY (ID, NAME)) 
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/COMPLIANGCE. POLICY. REPORT/RESULTS/HOST. LIST/HOST/CONTROL LIST/CONTROL/ 
TECHNOLOGY/ID (#PCDATA) 


Technology ID for the control. 


/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/CONTROL_LIST/CONTROL/ 
TECHNOLOGY/NAME (#PCDATA) 


Technology name for the control. 
/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/CONTROL_LIST/CONTROL/EVIDENCE 
(#PCDATA) 


One or more data point checks that returned results for the control on the 
host during the scan. The data point checks appear as CHECK1, CHECK2, 
and so on, which correspond to the <NAME> element for each check. 


/COMPLIANCE POLICY REPORT/RESULTS/HOST. LIST/HOST/NETWORK (#PCDATA) 


The network the host belongs to. 
/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/CONTROL_LIST/CONTROL/EXCEPTION 


(ASSIGNEE, STATUS, END_DATE, CREATED_BY, CREATED_DATE, 
MODIFIED_BY, MODIFIED_DATE, COMMENT_LIST?) 


/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/CONTROL_LIST/CONTROL/EXCEPTION/ 
ASSIGNEE (#PCDATA) 


The name of the user who is assigned the exception. 


/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/CONTROL_LIST/CONTROL/EXCEPTION/ 
STATUS (#PCDATA) 


The exception status: Pending, Accepted, Rejected and Expired. 


/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/CONTROL_LIST/CONTROL/EXCEPTION/ 
END DATE — (4PCDATA) 


The date the exception is set to expire. Note that end dates are only 
relevant to Accepted exceptions. 


/COMPLIANCE. POLICY REPORT/RESULTS/HOST. LIST/HOST/CONTROL LIST/CONTROL/EXCEPTION/ 
CREATED BY  (#PCDATA) 


The user who requested the exception. 


/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/CONTROL_LIST/CONTROL/EXCEPTION/ 
CREATED DATE  (#PCDATA) 


The date and time the exception was created. 


/COMPLIANCE. POLICY REPORT/RESULTS/HOST. LIST/HOST/CONTROL LIST/CONTROL/EXCEPTION/ 
MODIFIED BY  (#PCDATA) 


The user who last modified the exception. 


/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/CONTROL_LIST/CONTROL/EXCEPTION/ 
MODIFIED DATE  (#PCDATA) 


The date and time the exception was modified. 


/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/CONTROL_LIST/CONTROL/EXCEPTION/ 
LIST (COMMENT+) 


N 
/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/CONTROL_LIST/CONTROL/EXCEPTION/ 
NT_LIST/COMMEN (DATETIME, BY, TEXT 


/COMPLIANCE_POLICY_REPORT/RESULTS/HOST_LIST/HOST/CONTROL_LIST/CONTROL/EXCEPTION/ 
L 


ST/COMMENT/DATETIME — (*PCDATA 


The date and time when an action on the exception took place. 
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/COMPLIANCE POLICY REPORT/RESULTS/H 


The user who performed the acti 


OST. LIST/HOST/CONTROL L 
COMME LIST/COMMENT/BY  (#PCDATA) 


on on the exception. 


ST/CONTROL/EXCEPTION/ 


/COMPLIANCE_POLICY_REPORT/RESULTS/H 


— OST. LIST/HOST/CONTROL L 
COMMENT. LIST/COMMENT/TEXT — (4PCDATA) 


Comments entered by the user who per 


ST/CONTROL/EXCEPTION/ 


formed the action on the exception. 


/COMPLIANCE. POLICY REPORT/RESULTS/H 
NTS (#PCDAT. 


OST. LIST/HOST/CON 


ROL L 


ST/CONTROL/CONTROL COMME 


User-defined comments saved for the control. 


/COMPLIANCE POLICY REPORT/RESULTS/C 


ECKS  (CHECK”) 


/COMPLIANCE_POLICY_REPORT/RESULTS/C 


(NAME, DP 
REMOVED. 


ECKS/CHECK 


NAME, EXPECTED, ACTUAL, ADDED. DIRECTORIES?, 
DIRECTORIES?, PERMISSON CHANGED DIRECTORIES?, 


CONTENT. CHANGED DIRECTORIES?, PERMISSION TRANSLATION?, 


EXTENDED. 


EVIDENCE?, STATISTICS?) 


/COMPLIANCE POLICY REPORT/RESULTS/C 


ECKS/CHECK/NAME 


(#PCDATA) 


A service-defined tag assigned to each data point. 


/COMPLIANCE POLICY REPORT/RESULTS/C 


ECKS/CHECK/DP NAME (# 


PCDATA) 


A service-defined, unigue name for a data point. The data point name 
identifies whether the data point is custom, the type of check performed, 


and the data point 


D number. For example: custom.reg key. exist.1001660. 


/COMPLIANCE POLICY REPORT/RESULTS/CHECKS/C 


HECK/EXPECTED 


(V*, CRITERIA?) 


A data point “expected” value, as defined in the compliance policy. The 
“expected” value may include fixed value selections, user-customized 
evaluation criteria, or a combination of both. 


attribute: logic logic is a fixed value equa 


the “actua 
data point 
customize 


» 


d evaluation criteria. 


to “OR”. When present, the control will pass if 
value matches any of the “expected” values defined for the 
in the policy. This includes fixed value selections and user- 


/COMPLIANCE_POLICY_REPORT/RESULTS/C 


ECKS/CHECK/EXPEC'I 


FED/V 


(#PCDATA) 


A fixed value selected for the data point in the compliance policy. 


/COMPLIANCE_POLICY_REPORT/RESULTS/C 


compliance 


ECKS/CHECK/EXPEC 


e policy. 


ED/CRI 


ERIA (EVALUATION, V*) 


User-customized evaluation criteria for the data point, as defined in the 


/COMPLIANCE_POLICY_REPORT/RESULTS/C 
(#PCDATA) 


ECKS/CHECK/EXPEC 


ED/CRI 


ERIA/EVALUATION 


A data point rule used by the service to evaluate data point information 
gathered by the most recent compliance scan of the host. The data point 
rule includes the operator and cardinality options set in the compliance 
policy for the data point, if applicable. 


/COMPLIANCE_POLICY_REPORT/RESULTS/CHECKS/CHECK/EXPECTED/CRITERIA/V (#PCDATA) 


The user-provided “expected” value for the data point, as defined in the 


compliance 


e policy. 
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/COMPLIANCE POLICY REPORT/RESULTS/CHECKS/CHECK/ACTUAL  (V”) 
A data point “actual” value, as found by the service during the most recent 
scan. 
attribute: lastUpdated lastUpdated is the most recent date/time the datapoint was scanned. 
/COMPLIANCE POLICY REPORT/RESULTS/CHECKS/CHECK/ADDED DIRECTORIES  (V*) 
Added directories returned from integrity content check. 
/COMPLIANCE POLICY REPORT/RESULTS/CHECKS/CHECK/REMOVED DIRECTORIES (V*) 
Removed directories returned from integrity content check. 
/COMPLIANCE POLICY REPORT/RESULTS/CHECKS/CHECK/PERMISSION. CHANGED DIRECTORIES (V*) 
Directories with permissions changed, returned from integrity content 
check. 
/COMPLIANCE POLICY REPORT/RESULTS/CHECKS/CHECK/CONTENT. CHANGED DIRECTORIES (V^ 
Directories with content changed, returned from integrity content check. 
/COMPLIANCE POLICY REPORT/RESULTS/CHECKS/CHECK/PERMISSION. TRANSLATION - (PAIR+) 
/COMPLIANCE POLICY REPORT/RESULTS/CHECKS/CHECK/PERMISSION TRANSLATION/PAIR _ (K, V) 
/COMPLIANCE POLICY REPORT/RESULTS/CHECKS/CHECK/PERMISSION. TRANSLATION/PAIR/K 
(#PCDATA) 


A translation context key in a mappi 
untranslated value returned by the scanning 
registry or file/directory permission returned 


ng pair. This represents a raw, 
engine. Each key maps to a 
in the “actual” value. 


/COMPLIANCE_POLICY_REPORT/RESULTS/CHECKS/CHECK/PERMISS 


(#PCDATA) 


A translation context value in a mapping pai 


ON_TRANSLATION/PAIR/V 


. This represents the meaning 


associated with the raw value in the mapping pair. 


/COMPLIANCE_POLICY_REPORT/RES 


ULTS/CHEC 


KS/CHECK/EXTENDED_EVIDENCE 


(#PCDATA) 


Extended evidence includes additional findings/information collected 


during the eva 
returned from 
control value. 


uation of the cont 


ol on the host. This may include results 
queries made by the scanning engine when checking the 


/COM 
(STAT 


PLIANCE_POL 
SEARCHED, 


EPOR'I 


ON, ER 


P/ 


RES 
RORS?) 


ULTS/CHEC 


KS/CH 


ECK/STA! 


CS 


/COM 


PLIANCE_POL 


_REPORT 


F/ 


RES 


SAE 
Reports the 


EG 


KS/CH 


statistics 


ECK/STA 


informati 


CS/STATS (#PCDATA) 
for UDCs, for this check. 


/COM 


PLIANCE_POL 


_REPORT/ 


RES 


ULTS/C 
The durati 


EG 


ono 


KS/CH 
f the d 


ECK/STATIS 


CS/SEARCH_DURATION (#PCDATA) 


irectory search for this check. 


/COM 


PLIANCE_PO 


ER 


EPOR 


RES 


EG 


LTS/C 


errors 


Any 


KS/CH 


ECK/STATIST 


CS/ERRORS (#PCDATA) 
eported by this directory search check. 


/COM 


PLIANGE PO 


Gyan 


EPORT/ 


RES 


LTS/D 


P_DESCRIPTIONS 


(DP) 


/COM 


PLIANGE PO 


CYR 


EPOR'I 


F/ 


RESU 


LTS/D 
(DP. 


P DESCRIPTIONS/DP 
NAME, DESCRIPT 


ION, SCAN. PARAMETERS?) 


/COM 


PLIANGE PO 


CER 


EPOR'I 


T/RESU 


LTS/DP. DESCRIP'I 


FIONS/DP/DP. NAME 


(#PCDATA) 


A service-defined, unique name for a data point. The data point name 


identifies whether the da 
and the data point ID nu 


ta point is custom, the type of check performed, 
mber. For example: custom.reg_key_exist.1001660. 
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PLIANGE POL 


/RESULTS/DP_D 


A user-provided descri 
control.) 


ESCRIPTIONS/DP/DESCRIPTION 


(#PCDATA) 


ption for the data point. (Applies to a custom 


PLIANCE POL 


/RESULTS/DP_D 


ESCRIPTIONS/DP/SCAN_PARAMETERS 


(PARAMS) 


PLIANCE_POL EPORT/RES 


ULTS/DP_D 
(LABEL, VALUE) 


ESCRIPTIONS/DP/SCAN_PARAMETERS/PARAM 


PLIANCE_POLICY_REPORT/RES 


ULTS/DP_D 
(#PCDATA) 


A service-defined label for a scan parameter: 
NAME, File path, and Hash Type. (Only applies 


control.) 


ESCRIPTIONS/DP/SCAN_PARAMETERS/PARAM/LABEL 


Registry Hive 
to a user-defi 


Registry Key, 
ned custom 


/COMPLIANCE_POLICY_REPORT/RESU 


(4PCDATA) 


A va 
in the <LABEL> element. 


LTS/DP_DESCRIPTIONS/DP/SCAN_PARAMETERS/PARAM/VALUE 


ue for a scan parameter, which corresponds to a scan parameter label 


/COMPLIANCE_POLICY_REPORT/SUMMARY/HOS 


_STATISTICS 


(HOST_INFO+) 


/COMPLIANCE_POLICY_REPORT/SUMMARY/HOS 


ESTATIS 


ICS/HOST. 


NFO 


(IP, TRACKING M 


ETHOD, QG_HOSTID?, DNS, NETBIOS, 


OPERATING. SYSTEM, LAST. SCAN DATE, PERCENTAGE, 


NETWORK?,HOST_ 


D?,CLOUD_PROV 


DER?,CLOUD_SERVICE?, CLOUD_RESO 


URCE ID?, CLOUD RESOURCE TYPE?,CLOUD ACCOUNT ID?, 
CLOUD IMAGE ID?,CLOUD. RESOURCE INFO?)> 
/COMPLIANCE POLICY REPORT/SUMMARY/HOST. STATISTICS/HOST INFO/IP (#PCDATA) 
The host's IP address. 
/COMPLIANCE. POLICY REPORT/SUMMARY/HOST. STATISTICS/HOST. INFO/TRACKING. METHOD (#PCDATA) 
Tracking method used to discover the host. 
/COMPLIANCE. POLICY REPORT/SUMMARY/HOST. STATISTICS/HOST. INFO/OG. HOSTID (#PCDATA) 
The Oualys host ID assigned by Oualys. This is unigue and persistent per 
host. Qualys host ID is assigned when the host is scanned and agentless 
tracking is enabled, or when a cloud agent is installed, whichever happens 
firs 
RT/SUMMARY/HOST_STATISTICS/HOST_INFO/DNS (#PCDATA) 
The host's DNS name. 
F/SUMMARY/HOST. STATISTICS/HOST INFO/NETBIOS (#PCDATA) 
The host's NetBIOS hostname 
pe F/SUMMARY/HOST. STATISTICS/HOST. INFO/ 
FING SYSTEM TA) 
The host's NetBIOS hostname 
L F/SUMMARY/HOST. STATISTICS/HOST. INFO/ 
SCAN. DATE (#PCD. 
The most recent date the host was scanned. 
F/SUMMARY/HOST. STATISTICS/HOST INFO/PERCENTAGE — (4PCDATA) 
The percentage of controls that passed on the host. 
F/SUMMARY/HOST. STATISTICS/HOST INFO/NETWORK  (*PCDATA) 
The network the host belongs to. 
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/COMPLIANCE POLICY REPORT/SUMMARY/HOST. STATISTICS/HOST INFO/HOST ID (#PCDATA) 
The host's unigue ID. 

/COMPLIANCE POLICY REPORT/SUMMARY/HOST. STATISTICS/HOST INFO/CLOUD PROVIDER (#PCDATA) 
(Applicable when cloud metadata is included in the report.) The cloud 
provider (e.g. AWS). 

/COMPLIANCE. POLICY REPORT/SUMMARY/HOST. STATISTICS/HOST INFO/CLOUD SERVICE — (4PCDATA) 
(Applicable when cloud metadata is included in the report.) The cloud 
service (e.g. EC2). 

/COMPLIANCE POLICY REPORT/SUMMARY/HOST. STATISTICS/HOST. INFO/CLOUD RESOURCE ID 

(#PCDATA) 

Applicable when cloud metadata is included in the report.) The cloud 
esource ID. 

/COMPLIANCE_POLICY_REPORT/SUMMARY/HOST_STATISTICS/HOST_INFO/CLOUD_RESOURCE_TYPE 

(#PCDATA) 

Applicable when cloud metadata is included in the report.) The cloud 
esource type (e.g. Instance). 
/COMPLIANCE_POLICY_REPORT/SUMMARY/HOST_STATISTICS/HOST_INFO/CLOUD_ACCOUNT_ID 
(#PCDATA) 
Applicable when cloud metadata is included in the report.) The cloud 
account ID. 

/COMPLIANCE POLICY REPORT/SUMMARY/HOST. STATISTICS/HOST INFO/CLOUD IMAGE ID  (*PCDATA) 
Applicable when cloud metadata is included in the report.) The cloud 
image ID. 

/COMPLIANCE POLICY REPORT/SUMMARY/HOST. STATISTICS/HOST. INFO/CLOUD RESOURCE INFO 
PUBLIC IP ADDRESS?, PRIVATE IP ADDRESS?, VPC_ID?, SUBNET ID?, 
NSTANCE_TYPE?, INSTANCE. STATE?, REGION CODE?, 
AVAILABILITY ZONE?, PRIVATE. DNS NAME?, PUBLIC DNS NAME? , 
GROUP ID?, GROUP NAME?, RESERVATION ID?, IS SPOT INSTANCE?, 
LOCAL HOSTNAME?, MAC ADDRESS?)> 

/COMPLIANCE POLICY REPORT/SUMMARY/HOST. STATISTICS/HOST. INFO/CLOUD RESOURCE INFO/PUBLI 

C IP ADDRESS (#PCDATA) 

(Applicable when cloud metadata is included in the report.) The public IP 
address. 

/COMPLIANCE POLICY REPORT/SUMMARY/HOST. STATISTICS/HOST. INFO/CLOUD RESOURCE INFO/PRIVA 

TE IP ADDRESS  (#PCDATA) 

(Applicable when cloud metadata is included in the report.) The private IP 
address. 

/COMPLIANCE POLICY REPORT/SUMMARY/HOST. STATISTICS/HOST. INFO/CLOUD RESOURCE INFO/VPC. I 

D  (*PCDATA) 

Applicable when cloud metadata is included in the report.) The VPCID. 

/COMPLIANCE POLICY REPORT/SUMMARY/HOST. STATISTICS/HOST. INFO/CLOUD. RESOURCE INFO/SUBN 

ET ID (#PCDATA) 

Applicable when cloud metadata is included in the report.) The subnet ID. 

/COMPLIANCE POLICY REPORT/SUMMARY/HOST. STATISTICS/HOST. INFO/CLOUD RESOURCE INFO/INSTA 

NCE TYPE  (#PCDATA) 

Applicable when cloud metadata is included in the report.) The instance 
type (e.g. t2.micro). 
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/COMPLIANCE. POLICY. REPORT/SUMMARY/HOST. STATISTICS/HOST. INFO/CLOUD. RESOURC 
NCE STATE — (*PCDATA) 


mi 


_INFO/INSTA 


(Applicable when cloud metadata is included in the report.) The instance 
state (e.g. PENDING, RUNNING, TERMINATED, STOPPED). 


/COMPLIANCE_POLICY_REPORT/SUMMARY/HOST_STATISTICS/HOST_INFO/CLOUD_RESOURCE_INFO/REGIO 
N_CODE — (*PCDATA) 


(Applicable when cloud metadata is included in the report.) The region 
code. 


/COMPLIANCE_POLICY_REPORT/SUMMARY/HOST_STATISTICS/HOST_INFO/CLOUD_RESOURCE_INFO/AVAIL 
ABILITY ZONE (#PCDATA) 


(Applicable when cloud metadata is included in the report.) The availability 
zone in which the instance launched. 


/COMPLIANCE POLICY REPORT/SUMMARY/HOST. STATISTICS/HOST. INFO/CLOUD RESOURCE INFO/PRIVA 
TE DNS NAME  (#PCDATA) 


(Applicable when cloud metadata is included in the report.) The private 
DNS hostname. 


/COMPLIANCE POLICY REPORT/SUMMARY/HOST. STATISTICS/HOST. INFO/CLOUD RESOURCE INFO/PUBLI 
C DNS NAME (#PCDATA) 


(Applicable when cloud metadata is included in the report.) The public DNS 
hostname. 


/COMPLIANCE. POLICY. REPORT/SUMMARY/HOST. STATISTICS/HOST. INFO/CLOUD. RESOURCE. INFO/GROU 
PID (#PCDATA) 


(Applicable when cloud metadata is included in the report.) The group ID. 


/COMPLIANCE_POLICY_REPORT/SUMMARY/HOST_STATISTICS/HOST_INFO/CLOUD_RESOURCE_INFO/GROU 
P NAME (#PCDATA) 


(Applicable when cloud metadata is included in the report.) The group 
name. 


/COMPLIANCE POLICY REPORT/SUMMARY/HOST. STATISTICS/HOST. INFO/CLOUD RESOURCE INFO/RESER 
VATION ID  (#PCDATA) 


(Applicable when cloud metadata is included in the report.) The reservation 
ID. 


/COMPLIANCE POLICY REPORT/SUMMARY/HOST. STATISTICS/HOST. INFO/CLOUD RESOURCE INFO/IS SP 
OT INSTANCE (#PCDATA) 


(Applicable when cloud metadata is included in the report.) Indicates 
whether the instance is a Spot instance. A value of 0 means it is not a Spot 
instance. A value of 1 means it is a Spot instance. 


/COMPLIANCE_POLICY_REPORT/SUMMARY/HOST_STATISTICS/HOST_INFO/CLOUD_RESOURCE_INFO/LOCA 
L HOSTNAME (#PCDATA) 


(Applicable when cloud metadata is included in the report.) The local 
hostname. 


/COMPLIANCE_POLICY_REPORT/SUMMARY/HOST_STATISTICS/HOST_INFO/CLOUD_RESOURCE_INFO/MAC_ 
ADDRESS — (#PCDATA) 


(Applicable when cloud metadata is included in the report.) The MAC 
address. 
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Sample Compliance Policy Report XML Output 


The compliance policy report XML includes three data point evaluation types: 1) user- 
customized evaluation criteria, 2) fixed value selection, and 3) a combination of user- 
customized evaluation criteria and fixed values. Sample XML output is provided below. 


Sample 1: Only User-Customized Criteria (No Fixed Values) 
A control that does not have any fixed values looks like this: 


<CHECK> 
<NAME>CHECK14</NAME > 
<DP NAME>auth.passwords.expirywarning</DP NAME> 
<EXPECTED logic="0R"> 
<CRITERIA> 
<EVALUATION><! [CDATA[less than] ]></EVALUATION> 
<V><! [CDATA[ 14 ]]></V> 
</CRITERIA> 
</EXPECTED> 
<ACTUAL lastUpdated="2012-04-01T15:21:36Z"> 
<V><! [CDATA [14] ]></V> 
</ACTUAL> 
</CHECK> 


Sample 2: Only Fixed Values (No User-Customized Criteria) 


For controls that only allow fixed value selection (user must select/clear checkboxes in the 
policy editor), the evaluation looks like this: 


<CHECK> 
<NAME>CHECK14</NAME > 
<DP NAME>auth.passwords.expirywarning</DP NAME> 
<EXPECTED logic="OR"> 
<V><! [CDATA[ Enabled] ]></V> 
<V><![CDATA[ RegKey not found] ]></V> 
<V><![CDATA[ RegSubKey not found]]></V> 
</EXPECTED> 
<ACTUAL lastUpdated="2012-04-01T15:21:362Z"> 
<V><! [CDATA [14] ]></V> 
</ACTUAL> 
</CHECK> 


In this example, each fixed value checkbox selected in the policy is displayed in a separate <V> 
element under <EXPECTED>. Note that there is no <CRITERIA> element under <EXPECTED> 
because there is no user-customized evaluation criteria. 


Sample 3: Fixed Values and User-Customized Criteria 


For controls using the fixed values in addition to user-customized evaluation criteria, the 
evaluation looks like this: 


<CHECK> 
<NAME>CHECK14</NAME > 
<DP NAME>auth.passwords.expirywarning</DP NAME> 
<EXPECTED logic="OR"> 
<CRITERIA> 
<EVALUATION><! [CDATA[less than] ]></EVALUATION> 
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<V><! [(CDATA [14] ]></V> 

</CRITERIA> 

<V><![CDATA[ RegSubKey not found]]></V> 
</EXPECTED> 
<ACTUAL lastUpdated="2012-04-01T15:21:36Z"> 
<V><! [CDATA [14] ]></V> 

</ACTUAL> 
</CHECK> 


In this example, the <EXPECTED> element is used to display both the fixed value checkbox 
selections and the user-provided evaluation criteria (less than operator + value 14). 
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Compliance Authentication Report 


The authentication report XML is returned when you download a saved authentication 
report using the Oualys user interface 


DTD for Compliance Authentication Report 


<platform API server>/compliance a 


uthentication_report.dtd 


A recent DTD is shown below. 
<!-- QUALYS COMPLIANCE AUTHENTICATION REPORT DTD --> 
<!-- SRevision$ --> 
<!ELEMENT COMPLIANCE AUTHENTICATION REPORT (ERROR | (HEADER, 
(BUSINESS UNIT LIST | ASSET GROUP LIST | ASSET TAG LIST | IPS LIST)))> 
<!ELEMENT ERROR (#PCDATA) > 
<!ATTLIST ERROR number CDATA #IMPLIED> 
<!ELEMENT HEADER (NAME, GENERATION DATETIME, COMPANY INFO, USER INFO, 
FILTERS) > 
<!ELEMENT NAME (#PCDATA)> 
<!ELEMENT GENERATION DATETIME (#PCDATA) > 
<!ELEMENT COMPANY INFO (NAME, ADDRESS, CITY, STATE, COUNTRY, ZIP CODE) > 
<!ELEMENT ADDRESS (#PCDATA) > 
<!ELEMENT CITY (#PCDATA)> 
<!ELEMENT STATE (#PCDATA) > 
<!ELEMENT COUNTRY (#PCDATA) > 
<!ELEMENT ZIP CODE (#PCDATA) > 
<!ELEMENT USER INFO (NAME, USERNAME?, ROLE) > 
<!ELEMENT USERNAME (#PCDATA)> 
<!ELEMENT ROLE (#PCDATA) > 
<!ELEMENT FILTERS (BUSINESS UNIT LIST | ASSET GROUP LIST | ASSET TAG LIST 
| (IPS LIST, NETWORK?) )> 
<!ELEMENT BUSINESS UNIT LIST (BUSINESS UNIT*)> 
<!ELEMENT BUSINESS UNIT 
(NAME |AUTH PASSEDJAUTH INSUFFICIENT|AUTH FAILED|AUTH NOT ATTEMPTED|AUTH N 
OT INSTALLEDJAUTH TOTAL|PASSED PERCENTAGE | FAILED PERCENTAGE |NOT ATTEMPTED 
_ PERCENTAGE | TECHNOLOGY LIST) *> 
<!ELEMENT AUTH PASSED (#PCDATA) > 
<!ELEMENT AUTH INSUFFICIENT (#PCDATA) > 
<!ELEMENT AUTH TOTAL (#PCDATA) > 
<!ELEMENT PASSED PERCENTAGE (#PCDATA) > 
<!ELEMENT ASSET TAG LIST ((INCLUDED TAGS, EXCLUDED TAGS?) | ASSET TAG) > 
<!ELEMENT ASSET TAG 
(INCLUDED TAGS |EXCLUDED TAGS|AUTH PASSED|AUTH INSUFFICIENT|AUTH FAILED |AU 
TH NOT ATTEMPTED|AUTH NOT INSTALLED|AUTH TOTAL| PASSED PERCENTAGE|FAILED P 
ERCENTAGE|NOT ATTEMPTED PERCENTAGE | TECHNOLOGY LIST) *> 
<!ELEMENT INCLUDED TAGS (TAG ITEM+) > 
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<!ATTLIST INCLUDED TAGS scope (any|all) #REQUIRED> 
<!ELEMENT EXCLUDED TAGS (TAG ITEM+) > 
<!ATTLIST EXCLUDED TAGS scope (anylall) #REQUIRED> 


<!ELEMENT TAG ITEM (#PCDATA) > 


<!ELEMENT ASSET GROUP LIST (ASSET GROUP*) > 
<!ELEMENT ASSET GROUP 
(NAME | AUTH PASSEDJAUTH INSUFFICIENT|AUTH FAILED|AUTH NOT ATTEMPTED|AUTH N 
= ED|AUTH TOTAL|PASSED PERCENTAGE | FAILED PERCENTAGE |NOT ATTEMPTED 
PERCENTAGE | TECHNOLOGY LIST) *> 


T 


O 
H 
H 
Z 
wn 
3 
D 
E 

rj 


<!ELEMENT IPS LIST (IPS+)> 
<!ELEMENT IPS 
(NAME | AUTH PASSEDJ|AUTH INSUFFICIENT|AUTH FAILED|AUTH NOT ATTEMPTED|AUTH N 
OT _INSTALLED|AUTH TOTAL|PASSED PERCENTAGE |FAILED PERCENTAGE |NOT ATTEMPTED 
PERCENTAGE | TECHNOLOGY LIST) *> 


T 


+ AUTH FAILED (#PCDATA) > 
<!ELEMENT AUTH NOT ATTEMPTED (#PCDATA) > 

a AUTH NOT INSTALLED (#PCDATA) > 
<!ELEMENT FAILED PERCENTAGE (#PCDATA) > 


<!ELEMENT NOT ATTEMPTED PERCENTAGE (#PCDATA) > 


<!ELEMENT TECHNOLOGY LIST (TECHNOLOGY* ) > 
<!ELEMENT TECHNOLOGY (NAME, HOST LIST) > 
<!ELEMENT HOST LIST (HOST* 
<!ELEMENT HOST (TRACKING METHOD, IP, DNS?, NETBIOS?, HOST TECHNOLOGY?, 
INSTANCE?, STATUS, CAUSE?, NETWORK?, OS?, LAST AUTH?, LAST SUCCESS?, 
D?,ALL ASSET TAGS?) > 

<!ELEMENT TRACKING METHOD (#PCDATA) > 


<!ELEMENT IP (#PCDATA) > 
<!ELEMENT DNS (#PCDATA) > 
<!ELEMENT HOST TECHNOLOGY (#PCDATA) > 
<!ELEMENT NETBIOS (#PCDATA) > 
<!ELEMENT INSTANCE (#PCDATA) > 
<!ELEMENT STATUS (#PCDATA) > 
<!ELEMENT CAUSE (#PCDATA) > 

N 


! ETWORK (#PCDATA) > 
<!ELEMENT OS (#PCDATA)> 
<!ELEMENT LAST AUTH (#PCDATA) > 
<!ELEMENT LAST SUCCESS (#PCDATA) > 
<!ELEMENT HOST_ID (#PCDATA) > 
<!ELEMENT ALL ASSET TAGS (#PCDATA) > 


XPaths for Compliance Authentication Report 


XPath element specifications / notes 
/COMPLIANCE_AUTHENTICATION_REPORT 


(ERROR | (HEADER, (BUSINESS UNIT. LIST | ASSET. GROUP LIST | 
ASSET. TAG LIST| IPS LIST))) 


/COMPLIANCE AUTHENTICATION REPORT/ERROR — (#PCDATA) 
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attribute: number 


An error code, when available 


/COMPLIANCE_AUTHENTICA’ 


ION_REPORT/HEADER 
(NAME, GEN 


ERATION_DATETIME, COMPANY_INFO, USER_INFO, FILTERS) 


/COMPLIANCE_AUTHENTICA! 


ION_REPORT/H 


The report t 
generated. I 
appears. 


EADER/NAME 


(#PCDATA) 


itle as provided by the user at the time the report was 
f a report title was not provided, then "Authentication Report’ 


' 


/COMPLIANCE_AUTHENTICA! 


ION_REPORT/HEADER/GEN 


The date 


and time when 


ERATION_DATETIME 


(#PCDATA) 


the report was generated. 


/COMPLIANCE_AUTHENTICA! 


ION_REPORT/HEADER/COMPANY_INF 


(NAME, AD 


O 


DRESS, CITY, STATE, COUNTRY, ZIP_CODE) 


The user's company name and address, as defined in the user's account. 


/COMPLIANCE_AUTHENTICA 


ION_REPORT/HEADER/US FO 


ER_IN 


( 


NAME, USERNAME, ROLE) 


/COMPLIANCE. AUTHENTICA 


EADER/ 


f the user 


ION. REPORT/ 


The nam 


eo 


FO/NAME 


generated the report. 


(#PCDATA) 


/COMPLIANCE_AUTHENTICA! 


EADER/ 
D of 


ION. REPORT/ FO/US 


[he user 


login 


ERNAME — (4PCDATA) 


who generated the report. 


/COMPLIANCE_AUTHENTICAT 


ON_REPORT/HEADER/USER_IN 


The user 


ro 


FO/ROLE 


e assigned to the user who generated the report. 


(#PCDATA) 


/COMPLIANCE_AUTHENTICA! 


R/FILTERS 
LIST 


_REPORT/HEADE 


USINESS UNIT. 
ETWORK?)) 


ASSET. GROUP LIST | ASSET. TAG LIST | (IPS LIST, 


/COMPLIANCE Ai CA 


_REPORT/HEADE 


[he business units included in the 


R/FILTERS/BUSINESS_UNI 


_LIST (BUSINESS UNIT”) 


report source. 


/COMPLIANCE Ai CA 


_REPORT/HEADER/F 


NAMEJAUTH PASSEDJAUTH INSU 
EMPTEDJAUTH. NOT INSTALLED 
LED PERCENTAGEJNOT. A 


Host information for 


LTERS/BUSINESS. UNI 


' LIST/BUSINESS UNIT 


FFICIENTJAUTH. FAILEDJAUTH NOT AT 
AUTH_TOTAL|PASSED_PERCENTAGE|FAI 


TEMPTED_PERCENTAGE|TECHNOLOGY_LIST) 


a business unit. 


/COMPLIANCE_AUTHENTICA! 


ION_REPORT/HEADER/FILTERS/ASSE 


AG ALS 


(INCLUDE 


D_TAGS, EXCLUDED_TAGS?) | ASSET_TAG) 


/COMPLIANCE_AUTHENTICA! 


ION. REPORT/HEADER/F 


LTERS/ASSET_ 


'AG_LIST/INCLUDED_TAGS 


TAG_ITEM+) 


The list of asset tags 
hosts matching all ta 
the tags. 


inc 
gs, 


uded in the report source. The scope “all” means 
scope “any” means hosts matching at least one of 


/COMPLIANCE_AUTHENTICA! 


TAG_ITEM (*PCDATA) 


ION_REPORT/HEADER/FILT 


The asset tag name for 


ERS/ASSET_ 


a tag included. 


'AG_LIST/INCLUDED_TAGS/ 


/COMPLIANCE_AUTHENTICA! 


(TAG_ITEM+) 


ION_REPORT/HEADER/FILTERS/ASSET 
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XPath element specifications / notes 
The list of asset tags excluded from the report source. The scope “all” 
means hosts matching all tags; scope “any” means hosts matching at least 
one of the tags. 


/COMPLIANCE AUTHENTICATION. REPORT/HEADER/FILTERS/ASSET. TAG LIST/EXCLUDED. TAGS/ 
TAG. ITEM (#PCDATA 


The asset tag name for a tag excluded. 
/COMPLIANCE AUTHENTICATION. REPORT/HEADER/FILTERS/ASSET. TAG LIST/ASSET. TAG 
INCLUDED. TAGSJEXCLUDED. TAGSJAUTH. PASSEDJAUTH INSUFFICIENTJA 


UTH FAILEDJAUTH NOT. ATTEMPTEDJAUTH. NOT INSTALLEDJAUTH. TOT 


AL|PASSED_PERCENTAGE|FAILED_PERCENTAGE|NOT_ATTEMPTED_PERCEN 


TAGE|TECHNOLOGY_LIST) 
Host information for an asset tag. 
/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/ASSET_GROUP_LIST (ASSET. GROUP*) 


[he asset groups included in the report source. 
/COMPLIANCE AUTHENTICATION. REPORT/HEADER/FILTERS/ASSET. GROUP LIST /ASSET. GROUP 


NAMEJAUTH. PASSEDJAUTH INSUFFICIENTJAUTH. FAILEDJAUTH. NOT AT 
EMPTEDJAUTH. NOT INSTALLEDJAUTH TOTALJPASSED. PERGENTAGEJFAI 


LED PERCENTAGEINOT. ATTEMPTED. PERCENTAGEITECHNOLOGY LIST) 


Host information for an asset group. 
/COMPLIANCE AUTHENTICATION REPORT/HEADER/FILTERS/IPS LIST  (IPS+) 


The IPs included in the report source. 
/COMPLIANCE AUTHENTICATION. REPORT/HEADER/FILTERS/IPS. LIST/IPS 


NAMEJAUTH. PASSEDJAUTH INSUFFICIENTJAUTH. FAILEDJAUTH. NOT AT 
TEMPTEDJAUTH. NOT INSTALLEDJAUTH. TOTALJPASSED PERCENTAGE|FAI 


LED. PERCENTAGEJN OT ATTEMPTED. PERCENTAGEITECHNOLOGY LIST) 


m 


H 


Host information for an IP. 
/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/NETWORK (#PCDATA) 
The network selected for the report. 

/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/{type_list}/{type}/NAME 
#PCDATA) 


The name of the business unit or asset group. 
/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/{type_list}/{type}/AUTH_PASSED 
#PCDATA) 

The number of hosts that passed authentication. 
/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/{type_list}/{type}/AUTH_INSUFFICIENT 
#PCDATA) 


The number of hosts that passed with insufficient privileges, meaning that 
the scanning engine was able to authenticate to the hosts but there were 
insufficient privileges to perform posture evaluation. 


/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/{type_list}/{type}/AUTH_FAILED 
#PCDATA) 


The number of hosts that failed authentication. 
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XPath element specifications / notes 
/COMPLIANCE AUTHENTICATION. REPORT/HEADER/FILTERS/[type listy/(typeJ/AUTH. NOT. ATTEMPTED 

(#PCDATA) 

The number of hosts where authentication was not used. 
/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/{type_list}/{type}/AUTH_NOT_INSTALLED 
(#PCDATA 

The number of hosts where authentication resulted in ERROR. 
/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/{type_list}/{type}/AUTH_TOTAL 
(#PCDATA 


The total number of scanned hosts. 


/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/{type_list}/{type]/PASSED_PERCENTAGE 


(#PCDATA\ 


The percentage of scanned hosts that passed. 


/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/{type_list}/{type}/FAILED_PERCENTAGE 


(#PCDATA 

The percentage of scanned hosts that failed. 
/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/{type_list}/{type}/NOT_ATTEMPTED_PERCENT 
AGE (#PCDATA) 

The percentage of scanned hosts where authentication was not used. 
/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/{type_list}/{type]/TECHNOLOGY_LIST 

TECHNOLOGY”) 
/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/{type_list}/{type}/TECHNOLOGY_LIST/ 
TECHNOLOGY (NAME, HOST_LIST 
/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/{type_list}/{type}/TECHNOLOGY_LIST/ 
TECHNOLOGY/NAME  (#PCDATA) 

The authentication type, such as Windows, SSH, Oracle, SNMP, etc. 
/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/{type_list}/{type}/TECHNOLOGY_LIST/ 
TECHNOLOGY/HOST_LIS GOSI 
/COMPLIANGCE. AUTHENTICATION. REPORT/HEADER/FILTERS/[type. list)/(type//TECHNOLOGY. LIST/ 
TECHNOLOGY/HOST. LIST/HOST 

TRACKING METHOD, IP, DNS?, NETBIOS?, HOST TECHNOLOGY?, 

NSTANCE?, STATUS, CAUSE?, NETWORK?, OS?, LAST AUTH?, 

LAST. SUCCESS?) 
/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/{type_list}/{type}/TECHNOLOGY_LIST/ 
TECHNOLOGY/HOST. LIST/HOST/TRACKING METHOD  (#PCDATA 

The tracking method assigned to the host: IP, DNS, or NETBIOS. 
/COMPLIANCE AUTHENTICATION. REPORT/HEADER/FILTERS//!type list//(type//TECHNOLOGY LIST/ 
TECHNOLOGY/HOST. LIST/HOST/IP (*PCDATA) 

The IP address for the host. 

COMPLIANCE AUTHENTICATION. REPORT/HEADER/FILTERS/[type list)/(type)/ TECHNOLOGY LIST/ 
TECHNOLOGY/HOST_LIST/HOST/DNS (#PCDATA 

The DNS hostname for the host, when available. 
/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/{type_list}/{type}/TECHNOLOGY_LIST/ 
TECHNOLOGY/HOST_LIST/HOST/NETBIOS (#PCDATA) 

The NetBIOS hostname for the host, when available. 
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XPath element specifications / notes 
/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/{type_list}/{type}/TECHNOLOGY_LIST/ 
TECHNOLOGY/HOST. LIST/HOST/HOST. TECHNOLOGY (#PCDATA 

The compliance technology the host's operating system is matched to. 
/COMPLIANCE AUTHENTICATION. REPORT/HEADER/FILTERS/!type listy/(typeJ/TECHNOLOGY LIST/ 
TECHNOLOGY/HOST_LIST/HOST/INSTANCE - (*PCDATA) 

f the compliance information applies to a technology version on the host, 

ike an Oracle version, instance information appears in this format: Port 


<number>, SID <value>. For example: Port 1521, SID ora010203p. 
/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/{type_list}/{type}/TECHNOLOGY_LIST/ 
TECHNOLOGY/HOST_LIST/HOST/STATUS - (*PCDATA) 

The host's authentication status: Passed, Failed, or Passed*. Passed* 

indicates that authentication to the host was successful but the login 

account had insufficient privileges. 
/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/{type_list}/{type}/TECHNOLOGY_LIST/ 
TECHNOLOGY/HOST_LIST/HOST/CAUSE (#PCDATA) 

Additional information for a host with a Failed or Passed* status. This may 

include the login ID used during the authentication attempt. 
/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/{type_list}/{type}/TECHNOLOGY_LIST/ 
TECHNOLOGY/HOST_LIST/HOST/NETWORK  (*PCDATA) 

The network the host belongs to. 
/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/{type_list}/{type}/TECHNOLOGY_LIST/ 
TECHNOLOGY/HOST. LIST/HOST/OS  (*PCDATA) 

The host's operating system. 

/COMPLIANCE AUTHENTICATION. REPORT/HEADER/FILTERS//type list//(type//TECHNOLOGY LIST/ 
TECHNOLOGY/HOST_LIST/HOST/LAST_AUTH (#PCDATA 

The last time the host was scanned using authentication. This is when the 

status was last updated to Passed or Failed. 
/COMPLIANCE_AUTHENTICATION_REPORT/HEADER/FILTERS/{type_list}/{type}/TECHNOLOGY_LIST/ 
TECHNOLOGY/HOST_LIST/HOST/LAST_SUCCESS (#PCDATA) 

The last time authentication was successful for the host. N/A indicates that 


the host has been scanned with au 


successful. 


thentication enabled but it has not been 
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Compliance Scorecard Report 


The compliance scorecard report XML is returned when you download a saved report 
using the Oualys user interface. 

DTD for Compliance Scorecard Report 

<platform API server>/compliance_scorecard_report.dtd 

A recent DTD is shown below. 


<?xml version="1.0" encoding="UTF-8"?> 
<!-- QUALYS COMPLIANCE SCORECARD REPORT DTD --> 


<!ELEMENT COMPLIANCE SCORECARD REPORT (ERROR | (HEADER, (SUMMARY), 
(DETAILS) ))> 

<!ELEMENT ERROR (#PCDATA|COUNT| PERCENT) *> 

<!ATTLIST ERROR number CDATA #IMPLIED> 


<!ELEMENT HEADER (REPORT_TYPE, GENERATION DATETIME) > 
<!ELEMENT SUMMARY (ABOUT REPORT, REPORT SETTINGS, REPORT DISCOVERIES) > 
<!ELEMENT ABOUT REPORT (REPORT TYPE, CREATED, USER NAME, LOGIN NAME, 
USER ROLE, COMPANY INFO) > 
<!ELEMENT COMPANY INFO (NAME, ADDRESS, CITY, STATE, COUNTRY, ZIP CODE) > 
<!ELEMENT REPORT SETTINGS (TEMPLATE, NUMBER OF POLICIES, 
REPORT TIMEFRAME, ASSET GROUPS*, ASSET TAGS*, 
CRITICALITY*) > 
<!ELEMENT REPORT DISCOVERIES (OVERALL COMPLIANCE, BY CONTROL, BY HOSTS, 
BY TECHNOLOGY, BY CRITICALITY*) > 
<!ELEMENT ASSET GROUPS (ASSET GROUP NAME) +> 
<!ELEMENT ASSET TAGS ((INCLUDED TAGS, EXCLUDED TAGS?) | ASSET TAG?)> 
<!ELEMENT OVERALL COMPLIANCE (OVERALL COMPLIANCE PERCENT, UNIQUE POLICES, 
PASSED, FAILED, ERROR)> 
<!ELEMENT BY CONTROL (TOTAL CONTROL DETECTED, CHANGED CONTROL, PASSED, 
FAILED, ERROR) > 

ENT PASSED (COUNT, PERCENT) > 
ENT FAILED (COUNT, PERCENT) > 
ENT BY HOSTS (TOTAL HOSTS IN POLICIES, SCANNED HOSTS, CHANGED) > 


ENT BY TECHNOLOGY ((TOTA , TECHNOLOGY, CHANGED TECHNOLOGY, 
TECHNOLOGY*) | (TECHNOLOGY+) ) > 


El 


Ti 


N 
+ 
H 
+ 
A 

3 
3 
3 
3 
Y 
Ha 


HNOLOGY 
E| CONTROL INSTANCES|COUNT|PERCENT|PASSED_TOTAL|PASSED CHANGED 
TOTAL|FAILED CHANGED|ERROR TOTAL|ERROR CHANGED | COMPLIANCE) *> 


<!ELEMENT DETAILS (COMPLIANCE BY POLICY*, COMPLIANCE BY ASSET GROUP*, 
COMPLIANCE BY ASSET TAG*, COMPLIANCE BY TECHNOLOGY*, 
COMPLIANCE BY CRITICALITY*, TOP HOST WITH CHANGES*, 
TOP CONTROLS WITH CHANGES*, 
FAILED CONTROLS BY CRITICALITY*) > 
EMENT COMPLIANCE BY POLICY (DETAIL DATE, BY POLICY*, 
BY POLICY ASSET GROUP*, 
BY POLICY ASSET TAG*, 
BY POLICY TECHNOLOGY*) > 
<!ELEMENT COMPLIANCE BY ASSET GROUP (DETAIL DATE, BY ASSET GROUP*, 


BY ASSET GROUP POLICY*, 


1] 


T 


T 


H 


<!E 


T 
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BY ASSET GROUP TECHNOLOGY*) > 


EMENT COMPLIANCE BY ASSET TAG (DETAIL DATE, BY ASSET TAG*, 


ET TAG TECHNOLOGY*) > 


D 

BY ASSET TAG POLICY*, 
B E 

( 


DATE, BY TECHNOLOGY) > 


EMENT COMPLIANCE BY TECHNOLOGY DETAI 


EMENT COMPLIANCE BY CRITICALITY (DETAIL DATE, BY CRITICALITY*, 


BY CRITICALITY POLICY*, 

BY CRITICALITY ASSET GROUP*, 
BY CRITICALITY ASSET TAG*, 
BY CRITICALITY TECHNOLOGY*) > 


ba | 


EMENT TOP HOST WITH CHANGES (TOP, CHANGED TO PASS, CHANGED TO FAIL, 
CHANGED TO ERROR) > 


EMENT TOP CONTROLS WITH CHANGES (TOP, CHANGED TO PASS, 


CHANGED TO FAIL, CHANGED TO ERROR) > 


= 


FI 


EMENT FAILED CONTROLS BY CRITICALITY (FAILED CONTROLS*)> 0 


EMENT BY POLICY (POLICY+) > 


EMENT BY POLICY ASSET GROUP (POLICY+) > 


EMENT BY POLICY ASSET TAG (POLICY+) > 


EMENT BY POLICY TECHNOLOGY (POLICY+) > 


EMENT BY ASSET GROUP (ASSET GROUP+) > 


5 


EMENT BY ASSET TAG (ASSET TAG+)> 


E 
3 


EMENT BY ASS] GROUP POLICY (ASSET GROUP+) > 


EMENT BY ASSET O A 


E 


P TAG POLICY (ASSET TAG+)> 
EMENT BY ASSI 


5 


AA wwe 
3 


l GROUP TECHNOLOGY (ASSET GROUP+)> 
EMENT BY ASSI 


[ TAG TECHNOLOGY (ASSET TAG*+) > 


3 


O 


EMENT BY CRITICALITY (TOTAL FAILED CONTROLS*, 


TOTAL FAILED CONTROLS CHANGED*, CRITICALITY*)> 


EMENT BY CRITICALITY POLICY (CRITICALITY*) > 


EMENT BY CRITICALITY ASSET GROUP (CRITICALITY*) > 


EMENT BY CRITICALITY ASSET TAG (CRITICALITY*) > 


EMENT BY CRITICALITY TECHNOLOGY (CRITICALITY*) > 


EMENT FAILED CONTROLS (CRITICALITY*) > 


EMENT POLICY (POLICY TITLE, ASSET GROUP?, ASSET TAG?, TECHNOLOGY?, 


CONTROL INSTANCES, HOSTS TOTAL, HOSTS SCANNED, 
HOSTS CHANGED, PASSED TOTAL, PASSED CHANGED, 
FAILED TOTAL, FAILED CHANGED, ERROR TOTAL, 


ERROR CHANGED, COMPLIANCE) > 


EMENT ASSET GROUP 


PCDATA |ASSET GROUP NAME | POLICY TITLE|TECHNOLOGY | CONTROL INSTANCES | HOSTS 
TAL|HOSTS SCANNED|HOSTS CHANGED| PASSED TOTAL|PASSED CHANGED|FAILED TOT 


FAILED CHANGED|ERROR TOTAL|ERROR CHANGED | COMPLIANCE) *> 


EMENT ASSET TAG (ASSET TAG NAME, POLICY TITLE?, TECHNOLOGY?, 
CONTROL INSTANCES, HOSTS TOTAL, HOSTS SCANNED, 
HOSTS CHANGED, PASSED TOTAL, PASSED CHANGED, 
FAILED TOTAL, FAILED CHANGED, ERROR TOTAL, 
ERROR CHANGED, COMPLIANCE) > 


EMENT CHANGI TO PASS (HOST* |CONTROL* |CRITICALITY*) > 


EMENT CHANGI TO FAIL (HOST* | CONTROL* | CRITICALITY*) > 


EMENT CHANGED TO ERROR (HOST* | CONTROL* | CRITICALITY*) > 


EMENT HOST (IP_ADDRESS, TRACKING METHOD, NETBIOS, DNS, NETWORK?, 
ASSET GROUP NAME?, ASSET TAG NAME?, TECHNOLOGY, 
NUMBER OF POLICIES, PASSED TOTAL?, PASSED CHANGED?, 


390 


Gualys API (VM, PC) XML/DTD Reference 
Chapter 9 - Compliance XML 


FAILED TOTAL?,FAILED CHANGED?, ERROR TOTAL?, 
ERROR CHANGED?, COMPLIANCE, NETWORK?) > 


EMENT CONTROL (ID, STATEMENT, COUNT) > 


EMENT CRITICALITY 


DATA | CRITICALITY NAME | COUNT | PERCENT|ASSET GROUP|ASSET TAG|POLICY TITL 


E | TECHNOLOGY | CONTROL INSTANCES|HOSTS TOTAL|HOSTS SCANNED|HOSTS CHANGED| PA 


ED TOTAL|PASSED CHANGED|FAILED TOTAL|FAILED CHANGED [ERROR TOTAL 


ERROR C 


HANGED | COMPLIANCE |CONTROL ID] STATEME NT) *> 


VERALL COMPLIANCE PERCENT 


PCDATA) > 


OUNT (#PCDATA) > 


O 

T UNIQUE POLICES (#PCDATA) > 
Ç 
P 


ERCENT (#PCDATA)> 


3 
3 
ï 


TOTAL CONTROL DETECTED (#PCDATA)> 


+ 


[ROL (#PCDATA) > 


Q 
T 
D 
Z 
Q E 
t | 
|) 
Q 
O 
= 


HOSTS IN POLICIES (#PCDATA) > 


CANNED HOSTS (#PCDATA) > 
GED (COUNT, PERCENT) > 


T TOTAL TECHNOLOGY (#PCDATA) > 


T CHANGED TECHNOLOGY (#PCDATA) > 


22222222222 Z 
| 


T NETWORK (#PCDATA) > 


EMENT REPORT TYPE (#PCDATA) > 


zZ 
Q 
Z 
A 
4 
e) 
Z 
U 
> 
H 


ETIME (#PCDATA) > 


T CREATED (#PCDATA) > 


T USER NAME (#PCDATA) > 


T LOGIN NAME (#PCDATA) > 


42234284 
| 


T USER ROLE (#PCDATA) > 


T NAME (#PCDATA)> 


T ADDRESS (#PCDATA) > 


T CITY (#PCDATA) > 


T STATE (#PCDATA) > 


T COUNTRY (#PCDATA) > 


T ZIP CODE (#PCDATA) > 


EMENT TEMPLATE (#PCDATA 


PCDATA) > 


) 
EMENT NUMBER OF POLICIES 
( 


( 
EMENT REPORT TIMEFRAME (#PCDATA) > 


EMENT INCLUDED TAGS (#PCDATA) > 


T 
T 
Z 
< 
3 


EXCLUDED TAGS (#PCDATA) > 


T DETAIL DATE (#PCDATA) > 


T POLICY TITLE (#PCDATA) > 


T CONTROL INSTANCES (#PCDATA) > 


T HOSTS TOTAL (#PCDATA) > 


HOSTS SCANNED (#PCDATA) > 


T HOSTS CHANGED (#PCDATA) > 


T PASSED TOTAL PCDATA) > 


A AZ A B 2A a eae 


( 
T PASSED CHANGED (#PCDATA)> 
T FAILED TOTAL (#PCDATA) > 
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<!ELEMENT FAILED CHANGED (#PCDATA) > 
<!ELEMENT ERROR_TOTAL (#PCDATA) > 

<!ELEMENT ERROR_CHANGED (#PCDATA) > 
<!ELEMENT COMPLIANCE (#PCDATA) > 

<!ELEMENT POSTURE (#PCDATA) > 

<!ELEMENT ASSET GROUP NAME (#PCDATA) > 
<!ELEMENT ASSET TAG NAME (#PCDATA) > 
<!ELEMENT IP ADDRESS (#PCDATA) > 
<!ELEMENT ID (#PCDATA) > 

<!ELEMENT STATEMENT (#PCDATA) > 

<!ELEMENT TOP (#PCDATA) > 

<!ELEMENT NETBIOS (#PCDATA) > 

<!ELEMENT DNS (#PCDATA) > 

<!ELEMENT CRITICALITY NAME (#PCDATA) > 
<!ELEMENT TOTAL FAILED CONTROLS (#PCDATA) > 
<!ELEMENT TOTAL FAILED CONTROLS CHANGED (#PCDATA) > 
<!ELEMENT CONTROL ID (#PCDATA) > 


XPaths for Compliance Scorecard Report 


XPath 


element specifications / notes 


/COM 


PLIANCE_ SCORECARD REPOR'I 


(ERROR | (HEADER, (SUMMARY) (DETAILS))) 


/COM 


PLIANCE_SCORECARD_REPORT/ERROR 


(#PCDATA|COUNT|PERCENT) 


An error message. 


attribute: number 


An error code, when available 


/COM 


PLIANGE SCORECARD REPOR'I 


[/HEA 


DER 


(REPORT. TYPE, GENERATION. DATETIME) 


/COM 


PLIANCE_SCORECARD_REPORT/HEADER/REPORT_TYPE (#PCDATA) 


The user defined report title. 


/COMPLIANCE_SCORECARD_REPORT/HEADER/GENERATION_DATETIME (#PCDATA) 
The date and time when the report was created. 
COMPLIANCE_SCORECARD_REPORT/SUMMARY 
(ABOUT_REPORT, REPORT_SETTINGS, REPORT_DISCOVERIES) 
/COMPLIANCE_SCORECARD_REPORT/SUMMARY/ABOUT_REPOR' 
(REPORT_TYPE, CREATED, USER_NAME, LOGIN_NAME, USER_ROLE, 
COMPANY INFO) 
/COMPLIANCE SCORECARD. REPORT/SUMMARY/ABOUT REPORT/REPORT TYPE (#PCDATA) 
Compliance scorecard report. 
/COMPLIANCE_SCORECARD_REPORT/SUMMARY/ABOUT_REPORT/CREATED (#PCDATA) 
The date and time the report was created. 
/COMPLIANCE_SCORECARD_REPORT/SUMMARY/ABOUT_REPORT/USER_NAME  (#PCDATA) 
The name of the user who created the report. 
[COM PLIANCE_SCORECARD_REPORT/SUMMARY/ABOUT_REPORT/LOGIN_NAME (#PCDATA) 
The login ID of the user who created the report. 
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element specifications / notes 


/COMPLIANCE SCORECARD. REPORT/SUMMARY/ABOUT. REPORT/USER ROLE 


The user role assigned to the user who created the report: Manager, Unit 
Manager, Auditor, Scanner, or Reader. 


(#PCDATA) 


./COMPLIANCE_SCORECARD_REPORT/SUMMARY/ABOUT_REPORT/COMPANY INFO) 


(NAME, ADDRESS, CI] 


PY, STATE, COUNTRY, ZIP_CODE) 


The user's company name and address, as defined in the user's account. 


/COMPLIANCE. SCORECAR 


m 


DER 


PORT/S 


(TEMPLAT 
ASSET_GROUPS*, 


UMMARY/REPO 


E, NUMBER_OF_PO 
ASSET_TAGS*, 


RT. SETTINGS 


LICIES, REPORT. TIMEFRAME, 
GQRIOMIE/NLIEENG)) 


/COMPL 


ANCE SCORECAR 


DSR 


m 


PORT/S 


UMMARY/R 


The name 


EPO 


of the template used 


RT. SETTINGS/ 


EMEA SIDE 


(#PCDATA) 


to generate the report. 


/COMPL 


ANCE_SCORECA. 


D_RE 


PORT/S 


MMARY/R 


Then 


3 


ber of policies select 


ed 


for the report. 


EPORT_SETTINGS/NUMBER_OF_POLICIES (#PCDATA) 


/COMPL 


ANCE_SCORECA. 


D_RE 


PORT/S 


MMARY/R 


te 


The d 


EPORT. SETTINGS/REPORT. TIMEFRAME (#PCDATA) 


range reported on. 


/COMPL 


ANCE SCORECAR 


D RE 


PORT/S 


EI > fal Cc Me » 


MMARY/R 


EPOR 


 SETTINGS/ASSET. GROUPS 


ASS 


ET GROUP NAME (#PCDATA) 


An asset group name. 


/COMPLIANCE_SCORECARD_REPORT/SUMMARY/R 


EPORT_SETTINGS/ASSET_TAGS 


(INCLUDED. TAGS, EXCLUDED TAGS?) | ASSET_TAG?) 


The asset tags se 


ected for the report. 


/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_SETTINGS/ 


(IP_ADDRESS, TRACKING_METHOD, 
AME?, ASSET_TAG 


ASSET GROUP 


HOST 


NETBIOS, DNS, NETWORK?, 
NAME?, TECHNOLOGY, 


NUMBER OF POLICIES, PASSED. TOTAL ?, PASSED CHANGED?, 


FAILE] 
ERRO 


Host setti 
AGENT. 


ngs. For 


D TOTAL?,FAILED CHANGED?, ERROR TOTAL?, 
R. CHANGED?,COMPLIANCE, NETWORK?) 


tracking method a valid value is: IP, DNS NETBIOS, or 


ANCE_SCORECAR 


DER 


m 


PORT/SUMMARY/R 


The criticality levels included in 


EPORT. SETTINGS/CR 


the 


report. 


TUCZN ENE 


(#PCDATA) 


ANCE_SCORECAR 


DER 


m 


PORT/S 


UMMARY/R 


OVERALL COMP 
BY CRITICALITY') 


EPORT. DISCOVER 


ANCHE, ENCON 


ES) 


MDY OSS 


BY TECHNOLOGY, 


/COMP 


E SCORECAR 


D RE 


PO 


RT/SUMMARY/R 


OVERALL COMP 
ERROR 


PO 


RT. DISCOVER 
ANCE PERCENT, 


ES/OVE 


RAL 


UNIQUE_POLICE 


L_COMP 


ANCE 


S, PASSED, FAILED, 


ANCE_SCORECA 
COMPLIANCE _. 


RT/SUMMA 
(4PCDATA 


The percent 


RE 


PO 


of comp 


RT_DISCOVER 


iance across al 


ES/OVE 


l policies in 


RAL 


L_COMP 


cluded i 


ANCE/ 


the report. 


E SCORECAR 


CES (#PCDAT 


RT/SUMMA 


EPO 


[The number of uni 


RT_DISCOVER 


que poli 


ES/OVE 


RAL 


L_COMP 


cies included in the report. 


ANCE/ 
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XPath element specifications / notes 
/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_DISCOVERIES/OVERALL_COMPLIANCE/ 
PASSED (COUNT, PERCENT 

The number and percent of controls that passed. 
/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_DISCOVERIES/OVERALL_COMPLIANCE/ 
FAILED (COUNT, PERCENT) 

The number and percent of controls that failed. 
/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_DISCOVERIES/OVERALL_COMPLIANCE/ 
ERROR COUNT, PERCENT 

The number and percent of controls with an Error status in the report. An 

error status is returned for a custom control if an error occurred during 

control evaluation (and the ignore errors configuration option was not 
selected). 
/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_DISCOVERIES/BY_CONTROL 

(TOTAL_CONTROL_DETECTED, CHANGED_CONTROL, PASSED, FAILED, 

ERROR 
/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_DISCOVERIES/BY_CONTROL/ 

TOTAL CONTROL DETECTED (#PCDATA 

The number of controls detected. 
/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_DISCOVERIES/BY_CONTROL/ 
CHANGED_CONTROL (#PCDATA) 

The number of changed controls detected. 
/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_DISCOVERIES/BY_CONTROL/PASSED 

(COUNT, PERCENT) 

The number and percent of controls passed. 
/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_DISCOVERIES/BY_CONTROL/FAILED 

(COUNT, PERCENT) (#PCDATA 

The number and percent of controls failed. 
/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_DISCOVERIES/BY_CONTROL/ERROR 

(COUNT, PERCENT) (#PCDATA 

The number and percent of controls in error. 
/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_DISCOVERIES/BY_HOSTS 

(TOTAL_HOSTS_IN_POLICIES, SCANNED_HOSTS, CHANGED) 
/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_DISCOVERIES/BY_HOSTS/ 
TOTAL_HOSTS_IN_POLICIES (#PCDATA) 

The number of hosts in the selected policies. 
/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_DISCOVERIES/BY_HOSTS/SCANNED_HOSTS 
(#PCDATA 

The number of scanned hosts included in the selected policies. 
/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_DISCOVERIES/BY_HOSTS/CHANGED 

(COUNT, PERCENT) 

The number and percent changed hosts 
/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_DISCOVERIES/BY_TECHNOLOGY 

((TOTAL_TECHNOLOGY, CHANGED_TECHNOLOGY, 

TECHNOLOGY*)|(TECHNOLOGY+)) 


394 


Gualys API (VM, PC) XML/DTD Reference 
Chapter 9 - Compliance XML 


XPath element specifications / notes 
/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_DISCOVERIES/BY_TECHNOLOGY/ 
TOTAL_TECHNOLOGY (#PCDATA) 


The number of technologies included in the report. 


/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_DISCOVERIES/BY_TECHNOLOGY/ 
CHANGED TECHNOLOGY (#PCDATA) 

The number of changed technologies in the report. 
/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_DISCOVERIES/BY_TECHNOLOGY/ 


TECHNOLOGY* (NAME, CO UNT, P ERCENT) 
The technology name, count and percent. 
/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_DISCOVERIES/BY_CRITICALITY 


(TOTAL FAILED CONTROLS*%, TOTAL FAILED CONTROLS CHANGED 
CRITICALITY* 


/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_DISCOV. 


TOTAL_FAILED_CONTROLS* (#PCDATA 
The number of failed controls in the report. 


/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_DISCOVERIES/BY_CRITICALITY/ 
TOTAL_FAILED_CONTROLS_CHANGED* (#PCDATA) 


The number of controls that changed to fail in the report time frame. 


/COMPLIANCE_SCORECARD_REPORT/SUMMARY/REPORT_DISCOVERIES/BY_CRITICALITY/ 
CRITICALITY* (NAME, COUNT, PERCENT 


The number and percentage of controls that changed to fail for each 
criticality. 
/COMPLIANCE_SCORECARD_REPORT/DETAILS 
(COMPLIANCE_BY_POLICY*, COMPLIANCE BY ASSET GROUP*, 
COMPLIANCE BY ASSET. TAG*, COMPLIANCE BY TECHNOLOGY”, 


COMPLIANCE BY CRITICALITY*, TOP HOST. WITH. CHANGES$*, 
TOP CONTROLS. WITH. CHANGES*, FAILED CONTROLS BY CRITICALITY') 


mi 


RIES/BY_CRITICALITY/ 
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Exception List Output 
API used 


<platform API server>/api/2.0/fo/compliance/exception/?action=list 


DTD for Network List Output 
<platform API server>/api/2.0/fo/compliance/exception/exception list output.dtd 


A recent DTD is shown below. 


<!-- QUALYS EXCEPTION LIST OUTPUT DTD --> 
<!ELEMENT EXCEPTION LIST OUTPUT (REQUEST?, RESPONSE) > 


E 


<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 

<!ELEMENT DATETIME (#PCDATA) > 

<!ELEMENT USER LOGIN (#PCDATA) > 

<!ELEMENT RESOURCE (#PCDATA) > 

<!ELEMENT PARAM LIST (PARAM+) > 

<!ELEMENT PARA (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 

<!ELEMENT VALUE (#PCDATA) > 

<!-- if returned, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 


Z H 2 ee 


T 


<!ELEMENT RESPONSE (DATETIME, (EXCEPTION LIST|NUMBER SET) ?, WARNING?) > 
<!ELEMENT EXCEPTION LIST (EXCEPTION+) > 

<!ELEMENT EXCEPTION (EXCEPTION NUMBER, HOST?, TECHNOLOGY?, POLICY?, 
CONTROL?, ASSIGNEE, STATUS, ACTIVE, EXPIRATION DAT 
MODIFIED DATE, HISTORY LIST?)> 

<!ELEMENT EXCEPTION NUMBER (#PCDATA) > 


El 
~ 


<!ELE 
<!ELE 
<!ELE 
<!ELE 


ENT HOST (IP ADDRESS, TRACKING METHOD, NETWORK?)> 
ENT IP ADDRESS (#PCDATA) > 

ENT TRACKING METHOD (#PCDATA) > 

ENT NETWORK (#PCDATA) > 


<!ELEMENT TECHNOLOGY (ID, NAME) > 
<!ELEMENT POLICY (ID, NAME) > 
<!ELEMENT ID (#PCDATA) > 
<!ELEMENT NAME (#PCDATA) > 


<!ELEMENT CONTROL (CID, STATEMENT, CRITICALITY) > 
<!ELEMENT CID (#PCDATA) > 
<!ELEMENT STATEMENT (#PCDATA) > 
<!ELEMENT CRITICALITY (VALUE, LABEL) > 
<!ELEMENT LABEL (#PCDATA) > 


<!ELEMENT ASSIGNEE (#PCDATA) > 

<!ELEMENT STATUS (#PCDATA) > 

<!ELEMENT ACTIVE (#PCDATA) > 

<!ELEMENT REOPEN ON EVIDENCE CHANGE (#PCDATA) > 
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) +> 


<!EL T EXPIRATION DATE (4PCDATA) > 
<!ELEMENT MODIFIED DATE (#PCDATA) > 
<!ELEMENT HISTORY LIST (HISTORY+)> 
<!ELEMENT HISTORY (USER, COMMENT, INSERTION DATE) > 
<!ELEMENT USER (#PCDATA) > 

<!ELEMENT COMMENT (#PCDATA) > 

<!ELEMENT INSERTION DATE (#PCDATA) > 

<!EL T NUMBER_SET (NUMBER|NUMBER_RANGE 
<!EL T NUMBER (#PCDATA) > 

<!EL T NUMBER RANGE (#PCDATA) > 

<!EL T WARNING (CODE?, TEXT, URL?)> 
<!ELEMENT CODE (#PCDATA)> 

<!ELEMENT TEXT (#PCDATA) > 

<!ELEMENT URL (#PCDATA) > 

<!-- EOF --> 


XPaths for Exception List Output 


Exception List Output: Request 


Chapter 9 - Compliance XML 


XPath element specifications / notes 
/EXCEPTION_LIST_OUTPU (REQUEST?, RESPONSE) 
/EXCEPTION_LIST_OUTPUT/REQUEST 

(DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA?) 
/EXCEPTION_LIST_OUTPUT/REQUEST/DATETIME — (*PCDATA) 

The date and time of the request. 
/EXCEPTION_LIST_OUTPUT/REQUEST/USER_LOGIN  (*PCDATA) 

The login ID of the user who made the request. 
/EXCEPTION_LIST_OUTPUT/REQUEST/RESOURCE — (*PCDATA) 

The resource specified for the request. 
/EXCEPTION_LIST_OUTPUT/REQUEST/PARAM_LIST  (PARAM+) 
/EXCEPTION_LIST_OUTPUT/REQUEST/PARAM_LIST/PARAM (KEY, VALUE) 
/EXCEPTION_LIST_OUTPUT/REQUEST/PARAM_LIST/PARAM/KEY  (*PCDATA) 

An input parameter name. 
/EXCEPTION_LIST_OUTPUT/REQUEST/PARAM_LIST/PARAM/VALUE (#PCDATA) 

An input parameter value. 

/EXCEPTION LIST OUTPUT/REOUEST/POST DATA  (*PCDATA) 


The POST data, if any. 


Exception List Output: Response 


XPath 


element specifications / notes 


(EXCEPT 


ION LIS 


OU 


PU 


(REQUEST?, RESPONSE) 


/EXCEP 


ION_LIS 


OU 


PUT/RESPONSE (DATETIME, (EXCEPTION_LISTINUMBER_SET)?, WARNING?) 
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XPath element specifications / notes 
/EXCEPTION LIST. OUTPUT/RESPONSE/DATETIME (#PCDATA) 


The date and time of the response. 
/EXCEPTION. LIST. OUTPUT/RESPONSE/EXCEPTION. LIS (EXCEP ION +) 
/EXCEPTION. LIST. OUTPUT/RESPONSE/EXCEPTION LIST/EXCEPTION 


(EXCEPTION. NUMBER, HOST?, TECHNOLOGY?, POLICY?, 
CONTROL?, ASSIGNEE, STATUS, ACTIVE, EXPIRATION. DATE, 
MODIFIED. DATE, HISTORY LIST?) 


/EXCEPTION LIST. OUTPUT/RESPONSE/EXCEPTION. LIST/EXCEPTION/EXCEPTION. NUMBER (#PCDATA) 
The exception number of the exception. 
J(EXCEPTION LIST. OUTPUT/RESPONSE/EXCEPTION. LIST/EXCEPTION/HOST (IP_ADDRESS, 


J/EXCEPTION LIST. OUTPUT/RESPONSE/EXCEPTION. LIST/EXCEPTION/HOST/IP. ADDRESS (#PCDATA) 


IP address ofthe host associated with the exception. 
/EXCEPTION LIST OUTPUT/RESPONSE/EXCEPTION LIST/EXCEPTION/HOST/ 


The tracking method for the host: IP, DNS NETBIOS, or AGENT. 
/EXCEPTION LIST. OUTPUT/RESPONSE/EXCEPTION LIST/EXCE ON/HOST/NETWORK (#PCDATA) 


The network name to which the host, associated with the exception, 
ngs to. 


o 
/EXCEPTION LIST. OUTPUT/RESPONSE/EXCEPTION. LIST/EXCEPTION/TECHNOLOGY (ID, NAME) 
EXGEPTION. LIST. OUTPU SE/EXCEPTION_LIST/EXCEPTION/POLICY (ID, NAME) 
/EXCEPTION_LIST_OUTPUT/RESPONSE/EXCEPTION_LIST/EXCEPTION/POLICY/ ID (#PCDATA) 
Policy ID of the policy that contains the control in the exception. 
/EXCEPTION_LIST_OUTPUT/RESPONSE/EXCEPTION_LIST/EXCEPTION/POLICY/ NAME (#PCDATA) 
Name of the policy that contains the control in the exception. 
/EXCEPTION_LIST_OUTPUT/RESPONSE/EXCEPTION_LIST/EXCEPTION/CONTROL 


(CID, STATEMENT, CRITICALITY) 
/EXCEPTION_LIST_OUTPUT/RESPONSE/EXCEPTION_LIST/EXCEPTION/CONTROL/CID (#PCDATA) 


~ 
| 
| 
~ 
lg) 
m 
Wn 
YU 
O 
Z 


The control ID number assigned to the control in the exception. 
/EXCEPTION_LIST_OUTPUT/RESPONSE/EXCEPTION_LIST/EXCEPTION/CONTROL/STATEMENT(#PCDATA) 
o 


A control statement. 


/EXCEPTION_LIST_OUTPUT/RESPONSE/EXCEPTION_LIST/EXCEPTION/CONTROL/CRITICALITY 
(VALUE, LABEL) 
/EXCEPTION_LIST_OUTPUT/RESPONSE/EXCEPTION_LIST/EXCEPTION/CONTROL/CRITICALITY 
VALUE (#PCDATA) 
A criticality value (0-5) assigned to the control. 
/EXCEPTION_LIST_OUTPUT/RESPONSE/EXCEPTION_LIST/EXCEPTION/CONTROL/CRITICALITY 
LABEL (#PCDATA) 


A criticality label (e.g. SERIOUS, CRITICAL, URGENT) assigned to the 
control. 


/EXCEPTION_LIST_OUTPUT/RESPONSE/EXCEPTION_LIST/EXCEPTION/ASSIGNEE (#PCDATA) 


An assignee of the exception. 
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XPath element specifications / notes 
(EXCEPTION LIST. OUTPUT/RESPONSE/EXCEPTION. LIST/EXCEPTION/STATUS (#PCDATA) 


Status of the exception: pending, approved, rejected or expired. 
J/EXCEPTION LIST. OUTPUT/RESPONSE/EXCEPTION. LIST/EXCEPTION/ACTIVE (#PCDATA) 

1 for an active exception or 0 for a inactive exception. 

/EXCEPTION LIST OUTPUT/RESPONSE/EXCEPTION LIST/EXCEPTION/ 

REOPEN. ON EVIDENCE, CHANGE (#PCDATA) 

for an reopened exception; 0 otherwise. 

/EXCEPTION LIST. OUTPUT/RESPONSE/EXCEPTION. LIST/EXCEPTION/EXPIRATION. DATE (#PCDATA) 


The exception expiration date. 
/EXCEPTION LIST. OUTPUT/RESPONSE/EXCEPTION. LIST/EXCEPTION/MODIFIED. DATE (#PCDATA) 
The date when the exception was last modified. 
RESPONSE/EXCEPTION LIST/HISTORY L (HISTORY +) 
RESPONSE/EXCEPTION LIST/HISTORY LIS 
(USER, COMMENT, INSERTION. DA 
/EXCEPTION LIST. OUTPUT/RESPONSE/EXCEPTION. LIST/EXCEPTION/HISTORY LIST/USER (#PCDATA) 
The login ID ofthe users who reguested and updated the exception. 
/EXCEPTION LIST OUTPUT/RESPONSE/EXCEPTION LIST/EXCEPTION/HISTORY. LIST/ 


E 
m 
> 
ON 
m 
Y 
O 
Z 
is 
(72) 
O 
E 
y 
(E 
q 
(2) 


pan 
m 
> 
Ey 
“m 
ES 
4 
O 
Z 
= 
(72) 
O 
E 
Ey 
(e 
oe 


mi 


User-defined comments. 
PTION. LIST OUTPUT/RESPONSE/EXCEPTION. LIST/EXCEPTION/HISTORY LIST/ 


The comments insertion date. 
/EXCEPTION. LIST. OUTPUT/RESPONSE/NUMBER SET (NUMBERINUMBER. RANGE + 
/EXCEPTION LIST. OUTPUT/RESPONSE/NUMBER. SET/NUMBER (#PCDATA) 


he exception number of the updated or deleted exception. 
PUT/RESPONSE/NUMBER_SET/NUMBER_RANGE (#PCDATA) 


= 
“m 
Ei 
©) 
ra 
y 
O 
A 
t 
un 
O 
C 


[The exception number range of the exceptions that were updated or 
deleted. 


Exception List Output: Warning 


XPath element specifications / notes 
/EXCEPTION_LIST_OUTPUT/RESPONSE/WARNING_LIST (WARNING+) 


/EXCEPTION_LIST_OUTPUT/RESPONSE/WARNING  (CODE?, TEXT, URL?) 
J/EXCEPTION LIST OUTPUT/RESPONSE/WARNING/CODE — (*PCDATA) 


A warning code. A warning code appears when the API reguest identifies 
more than 5,000 exception records. 


/EXC _LIST_OUTPUT/RESPONSE/WARNING/TEXT  (*PCDATA) 


A warning message. A warning message appears when the API request 
identifies more than 5,000 exception records. 


UTPUT/RESPONSE/WARNING/URL  (*PCDATA) 


A URL for making another API request for the next batch of exception 
records. 


bas) 


tri 
U 
O 
Z 
E 
Wn 
© 
E 


/EXC 


mi 
YU 
Q 
Z 
E 
Wn 
O 
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Exception Batch Return Output 


API used 


<platform API server>/api/2.0/fo/compliance/exception/?action=update|delete 


DTD for Exception Batch Return Output 


<platform API server>/api/2.0/fo/compliance/exception/exception_batch_return.dtd 


A recent DTD is shown below. 
<!-- QUALYS EXCEPTION BATCH RETURN DTD --> 
<!ELEMENT BATCH RETURN (REQUEST?, RESPONSE) > 
<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?)> 
<!EL NT DATETIME (#PCDATA) > 
<!EL NT USER LOGIN (#PCDATA) > 
<!EL NT RESOURCE (#PCDATA) > 
<!ELEMENT PARAM LIST (PARAM+) > 
<!ELEMENT PARAM (KEY, VALUE) > 
<!ELEMENT KEY (#PCDATA) > 
<!ELEMENT VALUE (#PCDATA) > 
<!-- If specified, POST DATA will be urlencoded --> 
<!ELEMENT POST DATA (#PCDATA) > 
<!ELEMENT RESPONSE (DATETIME, BATCH LIST?) > 
<!ELEMENT BATCH LIST (BATCH+) > 
<!ELEMENT BATCH (CODE?, TEXT?, NUMBER SET?) > 
<!EL NT CODE (#PCDATA) > 
<!EL NT TEXT (#PCDATA) > 
<!ELEMENT NUMBER SET (NUMBER|NUMBER_ RANGE) +> 
<!ELEMENT NUMBER RANGE (#PCDATA) > 
<!ELEMENT NUMBER (#PCDATA) > 
<!-- EOF --> 


XPaths for Exception Batch Return Output 


Exception Batch Return Output: Request 
XPath element specifications / notes 
/BATCH_RETURN (REQUEST?, RESPONSE) 
/BATCH_RETURN/REQUEST (DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA?) 
/BATCH_RETURN/REQUEST/DATETIME (#PCDATA) 

The date and time of the request. 
/BATCH_RETURN/REQUEST/USER_LOGIN (#PCDATA) 

The user login ID of the user who made the request. 
/BATCH_RETURN/REQUEST/RESOURCE (#PCDATA) 

The resource specified for the request. 
/BATCH_RETURN/REQUEST/PARAM_LIST (PARAM+) 
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XPath element specifications / notes 
/BATCH. RETURN/REOUEST/PARAM LIST/PARAM (KEY, VALUE) 
/BATCH_RETURN/REQUEST/PARAM_LIST/PARAM/KEY (#PCDATA) 
The input parameter name. 
/BATCH_RETURN/REQUEST/PARAM_LIST/PARAM/VALUE (#PCDATA) 
The input parameter value. 
/BATCH_RETURN/REQUEST/POST_DATA (#PCDATA) 


The POST data. 


Exception Batch Return Output: Response 


XPath element specifications / notes 
/BATCH_RETURN/RESPONSE (DATETIME, BATCH LIST?) 
/BATCH_RETURN/RESPONSE/DATETIME (#PCDATA) 

The date and time of the response. 
/BATCH_RETURN/RESPONSE/BATCH_LIST (BATCH+) 
/BATCH_RETURN/RESPONSE/BATCH_LIST/BATCH (CODE?, TEXT?, NUMBER_SET?) 
/BATCH_RETURN/RESPONSE/BATCH_LIST/BATCH/CODE (4PCDATA) 

A batch code. 
/BATCH_RETURN/RESPONSE/BATCH_LIST/BATCH/TEXT (#PCDATA) 

A batch text description. 

/BATCH. RETURN/RESPONSE/BATCH. LIST/BATCH/NUMBER. SET(NUMBERJINUMBER. RANGE) 
/BATCH_RETURN/RESPONSE/BATCH_LIST/BATCH/NUMBER_SET/NUMBER (#PCDATA) 

The exception number of the updated or deleted exception. 
/BATCH_RETURN/RESPONSE/BATCH_LIST/BATCH/NUMBER_SET/NUMBER_RANGE (#PCDATA) 

The exception number range of the exceptions that were updated or 

deleted. 
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SCAP Policy List Output 


API used 
<platform API server>/api/2.0/fo/compliance/fdd_policy/?action=list 


DTD for SCAP Policy List Output 
<platform API server>/api/2.0/fo/compliance/fdcc. policy/fdcc policy. list output.dtd 
A recent DTD is shown below. 


<!-- QUALYS FDCC POLICY LIST OUTPUT DTD --> 
<!ELEMENT FDCC POLICY LIST OUTPUT (REQUEST?, RESPONSE 


V 


<!ELEMENT REQUEST (DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 

<!ELEMENT DATETIME (#PCDATA) > 

<!ELEMENT USER LOGIN (#PCDATA) > 

<!ELEMENT RESOURCE (#PCDATA) > 

<!ELEMENT PARAM LIST (PARAM+) > 


<!ELEMENT PARA (KEY, VALUE) > 

<!ELEMENT KEY (#PCDATA) > 

<!ELEMENT VALUE (#PCDATA) > 

<!-- if returned, POST DATA will be urlencoded --> 

<!ELEMENT POST DATA (#PCDATA) > 

<!ELEMENT RESPONSE (DATETIME, (FDCC POLICY LIST|ID SET) ?, WARNING LIST?) > 

<!ELEMENT FDCC_POLICY LIST (FDCC_POLICY+)> 

<!ELEMENT FDCC_POLICY (ID, TITLE, DESCRIPTION, BENCHMARK, 
BENCHMARK PROFILE, BENCHMARK STATUS DATE, VERSION, 
TECHNOLOGY, NIST PROVIDED, CREATED, LAST MODIFIED, 
ASSET GROUP LIST?, FDCC FILE LIST?)> 

<!ELEMENT ID (#PCDATA) > 

<!ELEMENT TITLE (#PCDATA) > 

<!ELEMENT DESCRIPTION (#PCDATA) > 

<!ELEMENT BENCHMARK (#PCDATA) > 

<!ELEMENT BENCH [ARK PROFILE (#PCDATA) > 

<!ELEMENT BENCHMARK STATUS DATE (#PCDATA) > 

<!ELEMENT VERSION (#PCDATA) > 

<!ELEMENT TECHNOLOGY (#PCDATA) > 

<!ELEMENT NIST PROVIDED (#PCDATA) > 

<!ELEMENT CREATED (DATETIME, BY)> 

<!ELEMENT BY (#PCDATA) > 


<!ELEMENT LAST MODIFIED (DATETIME, BY) > 


<!ELEMENT ASSET GROUP LIST (ASSI 
<!ELEMENT ASSET GROUP (ID, TITLI 


T GROUP+) > 
)> 


F 
E 
F 
E, 


<!ELEMENT FDCC FILE LIST (FDCC_FILE+)> 
<!ELEMENT FDCC FILE (FILE NAME, FILE HASH)> 
<!ELEMENT FILE NAME (#PCDATA) > 
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<!ELEMENT FILE HASH (*PCDATA) > 


NT WARNING LIST (WARNING+) > 

NT WARNING (CODE TEXT, URL?)> 
<!ELEMENT CODE (*PCDA] 

N 

N 


VV. 


TA 
T TEXT (#PCDATA 
T URL (#PCDATA) 


a 
) 
) 
> 


XPaths for SCAP Policy List Output 
SCAP Policy List Output: Request 


XPath element specifications / notes 
/FDCC_POLICY_LIST_OUTPUT (REQUEST?, RESPONSE) 
/FDCC_POLICY_LIST_OUTPUT/REQUEST 
(DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA?) 
/FDCC_POLICY_LIST_OUTPUT/REQUEST/DATETIME (#PCDATA) 
The date and time of the request. 
/FDCC_POLICY_LIST_OUTPUT/REQUEST/USER_LOGIN (#PCDATA) 
The user login ID of the user who made the request. 
/FDCC_POLICY_LIST_OUTPUT/REQUEST/RESOURCE (#PCDATA) 
The resource specified for the request. 
FDCC_POLICY_LIST_OUTPUT/REQUEST/PARAM_LIST (PARAM+) 
/FDCC_POLICY_LIST_OUTPUT/REQUEST/PARAM_LIST/PARAM (KEY, VALUE) 
FDCC POLICY LIST OUTPUT/REOUEST/PARAM LIST/PARAM/KEY  (#PCDATA) 
An input parameter name. 
/FDCC. POLICY LIST OUTPUT/REOUEST/PARAM LIST/PARAM/VALUE — (4PCDATA) 
An input parameter value. 
/FDCC. POLICY LIST OUTPUT/REOUEST/POST DATA (#PCDATA) 

The POST data, if any. 


ES 


DES 


SCAP Policy List Output: Response 


XPath element specifications / notes 
J/EDCC. POLICY LIST OUTPUT (REQUEST?, RESPONSE) 


/EDCC. POLICY. LIST. OUTPUT/RESPONSE 
(DATETIME, (FDCC. POLICY LISTJID SET)?, WARNING LIST?) 
/FDCC. POLICY LIST OUTPUT/RESPONSE/DATETIME (#PCDATA) 


The date and time of the response. 
FDCC POLICY LIST OUTPUT/RESPONSE/FDCC POLICY LIST (FDCC POLICY+) 
FDCC. POLICY LIST OUTPUT/RESPONSE/POLICY LIST/FDCC. POLICY 


(ID, TITLE, DESCRIPTION, BENCHMARK, BENCHMARK PROFILE, 
BENCGHMARK STATUS. DATE, VERSION, TECHNOLOGY, NIST. PROVIDED, 
CREATED, LAST. MODIFIED, ASSET. GROUP LIST?, FDCC. FILE LIST?) 


KI 


RSS 
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PDE GEE ORIG AES ihm 


ESPONSE/FDCC_POLICY_LIST/FDCC_PO 


A SCAP policy ID. 


LICY/ID  (#PCDATA) 


AEG AASEN ISA 


ESPONSE/FDCC. POLICY LIST/FDCC. PO 


A SCAP policy title. 


LICY/TITLE  (#PCDATA) 


FIDICIC PONG LIISI 


ESPONSE/FDCC_POLICY_LIST/FDCC_PO 


A description of the SCAP policy. 


LICY/DESCRIPTION (#PCDATA) 


BENCHMARK_ PROF 


PCDATA) 
The SCAP profile that is defined for the FDCC policy in the FDCC Content. 


PIDICIG JOULES? ILS IE ESPONSE EDC GEL OTSIS GGE ONG 
BENCHMARK  (#PCDATA) 
The SCAP benchmark defined for the FDCC policy. 
ADE ALIEN AIS ESPONSE DESEOS ALDECOA 


EDECER ORIG AMETIS 


BENCHMARK STAT 


ESPONSE/FDCC_POLICY_LIST/FDCC_PO 
(4PCDATA) 


The SCAP status date, as defined for the FDCC policy in the SCAP XCCDF 


file. 


LENA) 


EDE GSE OTIGA 
VERSION 


LIST OUTPUT/RESPONSE/FDCC. POLICY. LIST/FDCC. POLICY/ 
(#PCDAT 


The base version of the SCAP policy as defined by NIST, when the policy is a 


NIST provided policy. 


/FDCC_POLICY_LIS 
TECHNOLOGY 


(#PCDAT 


PUT/RESPONSE/FDCC_POLICY_LIST/FDCC_PO 


LESA) 


The technology defined for the SCAP policy. 


/FDCC_POLICY_LIS 
NIST_PROVIDED 


PUT/RESPONSE/FDCC_POLICY_LIST/FDCC_PO 


Yes indicates the SCAP policy was provi 


policy is a user-defined custom policy. 


LICY/ 


ded by NIST. No indicates the SCAP 


(#PCDATA) 
The date/time when the SCAP policy was first created. 


PIDICIG, POILNGW_ILUS ESLONSE/ED@@GaL@ll Gvm@bioiy/» EGE OJAGA 
CREATED (DATETIME 
ENECER OMIC ESLONSE/ED@ GEL OR) Gialblsit/ ADE: O 


EDECARO MIGAS ESPONSE/FDCC_POLICY_LIST/FDCC_POLICY/ 
CREATED/BY (#PCDATA) 
The user login ID of the user who first created the SCAP policy. 
VANGE, POLE LST ESL@NSE/ ED E EM OTSAS GGE ONGA 
LAST. MODIFIED BY) 
AE POLICY ALS Te ESHONSE/ DESOLADO 
LAST_MODIFIED/DAT PCDATA) 


The date/time when the policy was last updated. 


pDEESPORIG AES 


LAST_MODIFIED/BY - (#PCDATA) 


SPONSE/FDCC_POLICY_LIST/FDCC_PO 


ENG! 


The user login ID of the user who last modified the policy. 
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XPath element specifications / notes 

J/EDCC. POLICY LIST OUTPUT/RESPONSE/FDCC. POLICY LIST/FDCC. POLICY/ 
ASSET. GROUP LIST (ASSET. GROUP +) 

AD GENE OAAS ¡MO UB OI RESPONSE ED GMT EMSA GONEO META 
ASSET. GROUP LIST/ASSET. GROUP (ID, TITLE) 
MDECCERONGCYANSMOUTRUMRESEONSEF/PDECIR ON CYANSMEDEGERONIGCY 
ASSET_GROUP_LIST/ASSET_GROUP/ID (#PCDATA 


The ID of an asset group assigned to the SCAP policy. 


¡BOCA OMC SO UE VI RESPONSE DEBO AMS ENEE OC 
ASSET. GROUP LIST/ASSET. GROUP/TITLE (#PCDATA) 


The title of an asset group assigned to the SCAP policy. 
EDESTAS AE DT RESEONSE/ED@ Gal Oli Gal ls MEDECI OTSA 


fa g ESREONSEHRDEGAEONGCYANSMEDECERONGY/ 
DCC FILE LIST/FDCC FILE (FILE NAME, FILE HASH 


E MADEE OLE ADE E JADE 
DCC FILE LIST/FDCC FILE/FILE NAME — (H*PCDATA) 


A SCAP file name. 


{ED ECELOMG ASN AMAAN AASAD GE IAONLNENC JUST AD EE TAGS 
FDCC FILE LIST/FDCC FILE/FILE HASH (#PCDATA 


The MD5 hash of a SCAP file name. 
/RESPONSE/ID SET (IDJID RANGE) 
/RESPONSE/ID SET/ID (4PCDATA) 

A SCAP policy ID. 
J/FDCC. POLICY LIST OUTPUT/RESPONSE/ID SET/ID RANGE  (#PCDATA) 
A range SCAP policy IDs. 


ES 
Y 
C 
(9) 
tas 
© 
= 
@) 
< 
E 
Wn 
© 
E 
ag) 
E 
= 
vs) 


as 
Ti 
3 
(2) 
ay 
ins) 
©) 
= 
@) 
< 
E 
Wn 
O 
(= 
ne) 
C 
= 
bas) 
E 
Wn 
ns) 
© 
Z 
Wn 


/FDCC_POLICY_LIST_OUTP 
/FDCC_POLICY_LIST_OUTP 


G 


G 


SCAP Policy List Output: Warning 


XPath element specifications / notes 
/FDCC_POLICY_LIST_OUTPUT/RESPONSE/WARNING_LIST  (WARNING+) 


/FDCC_POLICY_LIST_OUTPUT/RESPONSE/WARNING_LIST/WARNING  (CODE?, TEXT, URL?) 
/FDCC_POLICY_LIST_OUTPUT/RESPONSE/WARNING/CODE — (4PCDATA) 


A warning code. A warning code appears when the API request identifies 
more than 1,000 records (policies). 


/FDCC_POLICY_LIST_OUTPUT/RESPONSE/WARNING/TEXT (4PCDATA) 


(as) 


A warning message. A warning message appears when the API reguest 
identifies more than 1,000 records (policies). 


/EDCC. POLICY LIST OUTPUT/RESPONSE/WARNING/URL (#PCDATA) 


The URL for making another API reguest for the next batch of SCAP policy 
records. 
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Chapter 10 - User XML 


This section describes the XML output returned from User API reguests. 
User Output 

User List Output 

User Action Log Report 

Password Change Output 


User Output 
API used 


<platform API server>/msp/user.php 


DTD for User Output 
<platform API server>/user_output.dtd 


A recent DTD is shown below. 


<!-- QUALYS USER OUTPUT DTD --> 


<!ELEMENT USER OUTPUT (API, RETURN, USER?) > 


<!-- "name" is the name of API --> 

<!-- "at" is the current platform date and time --> 
<!ELEMENT API (#PCDATA) > 

<!ATTLIST API 


sername CDATA #REQUIRED 
t CDATA #REQUIRED> 


A 
name CDATA #REQUIRED 
u 
a 


<!-- the PCDATA contains an explanation of the status --> 
<!ELEMENT RETURN (MESSAGE?) > 
<!ATTLIST RETURN 

status (FAILED|SUCCESS|WARNING) #REQUIRED 
number CDATA #IMPLIED> 


<!ELEMENT MESSAGE (#PCDATA) > 

<!-- USER element in case password needs to be returned in XML --> 
<!ELEMENT USER (USER LOGIN, PASSWORD) > 

<!ELEMENT USER LOGIN (#PCDATA) > 

<!ELEMENT PASSWORD (#PCDATA) > 
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XPaths for User Output 


XPath element specifications / notes 

/USER. OUTPUT (API, RETURN, USER?) 

/USER_OUTPUT/API (#PCDATA) 
attribute: name name is required and is the API function name. 
attribute: username username is required and is the user login of the API user. 
attribute: at at is required and is the date/time when the function was run in 


YYYY-MM-DDTHH:MM:SSZ format (UTC/GMT). 
/USER_OUTPUT/RETURN (MESSAGE?) 
attribute: status status is required and is a status code, either SUCCESS, FAILED, or WARNING. 
attribute: number number is implied and, if present, is an error code. 
/USER_OUTPUT/RETURN/MESSAGE (#PCDATA) 
A descriptive message that corresponds to the status code. 
/USER_OUTPUT/USER (USER_LOGIN, PASSWORD) 


[he USER element (with sub-elements) is returned for a new user account 
when the user.php request included the send_email=0 input parameter. 


USER/USER LOGIN (#PCDATA) 


/USER_OUTPU 


== 


he user login ID for the new user account. 
USER/PASSWORD — (4PCDATA) 


/USER_OUTPU 


= 


The new and current password for the new user account. 


User List Output 
API used 


<platform API server>/msp/user_list.php 


DTD for User List Output 
<platform API server>/user_list_output.dtd 
A recent DTD is shown below. 


<!-- QUALYS USER LIST OUTPUT DTD --> 


<!ELEMENT USER LIST OUTPUT (ERROR | USER LIST) > 


<!ELEMENT ERROR (#PCDATA) *> 
<!ATTLIST ERROR number CDATA #IMPLIED> 


<!ELEMENT USER LIST (USER*) > 


<!ELEMENT USER (USER LOGIN?, USER_ID?, EXTERNAL ID?, CONTACT INFO, 
ASSIGNED ASSET GROUPS?, USER STATUS, CREATION DATE, 
LAST LOGIN DATE?, USER ROLE, MANAGER POC?, 
BUSINESS UNIT?, UNIT MANAGER POC?, 
UI INTERFACE STYLE?, PERMISSIONS?, NOTIFICATIONS?) > 


T 
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<! 
<! 


ENT 


USER LOGIN (#PCDATA) > 


EM 


ENT 


USER ID (#PCDATA) > 


EM 


ENT 


EXTERNAL ID (#PCDATA) > 


ENT 


CONTACT INFO (FIRSTNAME, LASTNAM 
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PHONE, FAX, EMAIL, 


COMPANY, ADDRESS1, 


El 


CITY, COUNTRY, STAT 


ZIP CODE, TIME ZON 


FIRSTNAME 
ASTNAME 


(t PCDATA) > 
PCDATA) > 


TITLE (#PCDATA) > 


PCDATA) > 
(#PCDATA) > 


EMAIL (#PCDATA) > 


PANY (#PCDATA) 
ADDRESS1 (#PCDAT 
ADDRESS2 (#PCDAT 
CITY (#PCDATA) > 
COUNTRY (#PCDATA) > 
PCDATA) > 
PCDATA) > 


> 
)> 
)> 


A 
A 


a Aa A KAA 


CODE (#PCDATA) > 


T 
2 
a 
3 


T 
2 
= 
3 


D ASSET GROUPS 
ASSET GROUP TITLE (#PCDATA) > 


PCDATA) > 


(#PCDATA) > 


(#PCDATA) > 


(#PCDATA) > 


422424242422 


PCDATA) > 
(#PCDATA) > 
PCDATA) > 
(#PCDATA) > 


T 
2 
Ej 
3 


U 


ERMISSIONS (CREATE OPTION PROFI 


EDIT REMEDIATION PO 


CREATE OPTION 


dE _ PROFILES 
PURGE INFO (#PCDATA) > 
ADD ASSETS (#PCDATA) > 


EDIT REMEDIATION POLICY 


ZAZZ2ZA 


EDIT AUTH RECORDS (#PCDATA) > 


NOTIFICATIONS (LATEST VU 


N, MAP, 


ATEST VULN (#PCDATA) > 


MAP 
SCAN 


(#PCDATA) > 
(# PCDATA) > 


DAILY TICKETS (#PCDATA) > 
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(ASSET GROUP _TITLE+) > 


ES, PURGE INFO, ADD ASSETS, 


EDIT AUTH RECORDS) > 


(#PCDATA) > 


(# PCDATA) > 


SCAN, DAILY TICKETS) > 
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XPaths for User List Output 


XPath element specifications / notes 
/USER LIST OUTPU (ERROR | USER LIST) 


/USER LIST OUTPUT/ERROR  (*PCDATA) 


attribute: number number is implied and if present, will be an error code. 
/USER LIST OUTPUT/USER LIST (USER*) 
(USER. LIST. OUTPUT/USER. LIST/USER 


USER LOGIN?, EXTERNAL ID?, CONTACT. INFO, 

ASSIGNED ASSET. GROUPS?, USER STATUS, CREATION. DATE, 

LAST. LOGIN. DATE?, USER ROLE, MANAGER POC?, BUSINESS UNIT?, 
UNIT. MANAGER POC?, UI INTERFACE STYLE?, PERMISSIONS?, 
NOTIFICATIONS?) 


(USER. LIST. OUTPUT/USER. LIST/USER/USER. LOGIN (#PCDATA) 


3 = i 


The Qualys user login ID for the user's account. 
(USER. LIST. OUTPUT/USER. LIST/USER/USER ID (#PCDATA 


The unique ID for the user's account. 
/USER_LIST_OUTPUT/USER_LIST/USER/EXTERNAL_ID (#PCDATA) 


[he user's custom external ID, if defined. If not defined, this element does not 
appear. 


/USER_LIST_OUTPUT/USER_LIST/USER/CONTACT_INFO 


FIRSTNAME, LASTNAME, TITLE, PHONE, FAX, EMAIL, COMPANY, ADDRESS1, 
ADDRESS2, CITY, COUNTRY, STATE, ZIP_CODE, TIME_ZONE_CODE) 


/USER_LIST_OUTPUT/USER_LIST/USER/CONTACT_INFO/FIRSTNAME (#PCDATA) 


The user's first name. 
/USER_LIST_OUTPUT/USER_LIST/USER/CONTACT_INFO/LASTNAME (#PCDATA) 


[he user’s last name. 
/USER_LIST_OUTPUT/USER_LIST/USER/CONTACT_INFO/TITLE (#PCDATA) 


[he user’s job title. 
/USER_LIST_OUTPUT/USER_LIST/USER/CONTACT_INFO/PHONE (#PCDATA) 


[he user's phone number. 
/USER_LIST_OUTPUT/USER_LIST/USER/CONTACT_INFO/FAX (#PCDATA) 


The user's fax number. 
/USER_LIST_OUTPUT/USER_LIST/USER/CONTACT_INFO/EMAIL (#PCDATA) 


[he user’s email address. 


/USER_LIST_OUTPUT/USER_LIST/USER/CONTACT_INFO/COMPANY (#PCDATA) 
The user’s company name. 
/USER. LIST OUTPUT/USER LIST/USER/CONTACT INFO/ADDRESS1 (#PCDATA) 
The first line of the user's street address. 


/USER_LIST_OUTPUT/USER_LIST/USER/CONTACT_INFO/ADDRESS2 (4PCDATA) 


[he second line of the user's street address. 
/USER_LIST_OUTPUT/USER_LIST/USER/CONTACT_INFO/CITY (#PCDATA) 


[he user's city. 
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XPath element specifications / notes 
/USER. LIST. OUTPUT/USER LIST/USER/CONTACT INFO/COUNTRY (4PCDATA) 
The user's country. 
(USER LIST OUTPUT/USER LIST/USER/CONTAGT INFO/STATE (#PCDATA) 
The user's state. 
/USER. LIST OUTPUT/USER LIST/USER/CONTACT INFO/ZIP CODE (#PCDATA) 
The zip code of the user's street address. 
/USER. LIST. OUTPUT/USER. LIST/USER/CONTACT INFO/TIME ZONE CODE (#PCDATA) 
The user's time zone code This will be the browser's timezone (Auto) or a user- 
selected code (e.g. US-NY). 
(USER LIST. OUTPUT/USER. LIST/USER/ASSIGNED ASSET GROUPS (ASSET. GROUP TITLE+) 
(USER. LIST. OUTPUT/USER LIST/USER/ASSIGNED ASSET GROUPS/ASSET. GROUP TITLE (#PCDATA) 
The title of an asset group assigned to the user. 
/USER LIST. OUTPUT/USER LIST/USER/USER STATUS (#PCDATA) 
The user status. Possible values are Active, Inactive and Pending Activation. 
/USER LIST. OUTPUT/USER LIST/USER/CREATION. DATE (#PCDATA 
The date and time when the user account was created. 
/USER. LIST OUTPUT/USER LIST/USER/LAST. LOGIN DATE (#PCDATA) 
The most recent date/time the user logged into Oualys using the user login ID 
specified in the <USER LOGIN> element. This element is returned when the 
API reguest was made by a Manager or Unit Manager. For a Manager, the last 
login date is returned for all users in the subscription. For a Unit Manager, the 
last login date is returned for users in the Unit Manager's same business unit. 
/USER LIST. OUTPUT/USER. LIST/USER/USER. ROLE (#PCDATA) 
The user role assigned to the user. Possible values are Manager, Unit Manager, 
Scanner, Reader and Contact. 
/USER LIST. OUTPUT/USER. LIST/USER/MANAGER. POC (#PCDATA) 
A flagindicating whether the user is the Manager Point of Contact (POC) for 
the subscription. The value 1 is returned when this user is the Manager POC. 
The value 0 is returned when this user is not the Manager POC. 
/USER_LIST_OUTPUT/USER_LIST/USER/BUSINESS_UNIT (#PCDATA) 
The business unit the user belongs to. If the user is not part of a business unit 
then the value is “Unassigned”. 
/USER_LIST_OUTPUT/USER_LIST/USER/UNIT_MANAGER_POC (#PCDATA 


A flag indicating whether this user is the Unit Manager Point of Contact (POC) 
for the user’s business unit. The value 1 is returned when this user is the Unit 
Manager POC. The value 0 is returned when this user is not the Unit Manager 

POC. 


/USER_LIST_OUTPUT/USER_LIST/USER/UIINTERFACE_STYLE (#PCDATA 


he user interface style applied to the user account. Possible values are 
standard_blue, navy_blue, coral_red, olive_green and 
accessible_high_contrast. 


/USER_LIST_OUTPUT/USER_LIST/USER/PERMISSIONS 


(CREATE_OPTION_PROFILES, PURGE_INFO, ADD_ASSETS, 
EDIT_REMEDIATION_POLICY, EDIT. AUTH. RECORDS) 
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XPath element specifications / notes 
/USER. LIST. OUTPUT/USER LIST/USER/PERMISSIONS/CREATE OPTION PROFILES (#PCDATA) 


A flagindicating whether the user is granted permission to create personal 
option profiles. The value 1 is returned when the user is granted this 
permission. The value 0 is returned when the user is not granted this 
permission. 


/USER_LIST_OUTPUT/USER_LIST/USER/PERMISSIONS/PURGE_INFO (#PCDATA) 


A flag indicating whether the user is granted permission to permanently 
delete saved host information. The value 1 is returned when the user is 
granted this permission. The value 0 is returned when the user is not granted 
this permission. 


/USER_LIST_OUTPUT/USER_LIST/USER/PERMISSIONS/ADD_ASSETS (#PCDATA) 


A flag indicating whether the Unit Manager is granted permission to add IPs 
and domains to the user’s business unit, and thus to the subscription. The 
value 1 is returned when the user is granted this permission. The value 0 is 
returned when the user is not granted this permission. 


/USER_LIST_OUTPUT/USER_LIST/USER/PERMISSIONS/EDIT_REMEDIATION_POLICY (#PCDATA) 


A flag indicating whether the Unit Manager is granted permission to create 
and edit a remediation policy for the user’s business unit. The value 1 is 
eturned when the user is granted this permission. The value 0 is returned 
when the user is not granted this permission. 


(USER. LIST. OUTPUT/USER. LIST/USER/PERMISSIONS/EDIT. AUTH RECORDS  (#PCDATA) 


A flagindicating whether the Unit Manager is granted permission to create 
and edit authentication records when all of the target hosts in the record are 
in the user's business unit. The value 1 is returned when the user is granted 
this permission. The value 0 is returned when the user is not granted this 
permission. 


/USER_LIST_OUTPUT/USER_LIST/USER/NOTIFICATIONS (LATEST_VULN, MAP, SCAN, DAILY_TICKETS) 
/USER_LIST_OUTPUT/USER_LIST/USER/NOTIFICATIONS/LATEST_VULN (#PCDATA) 


A flag indicating how often the user receives the Latest Vulnerabilities email 
notification. Possible values are weekly, daily and none. 


/USER_LIST_OUTPUT/USER_LIST/USER/NOTIFICATIONS/MAP (#PCDATA) 


A flag indicating whether the user receives the Map Notification via email. 
The value will be one of: 

“ags” - the user receives the Map Notification (this option is set to “On” in the 
Ul) 
“none” - the user does not receive the Map Notification (this option is set to 
“Off” in the UI) 


/USER. LIST. OUTPUT/USER. LIST/USER/NOTIFICATIONS/SCAN (#PCDATA) 


A flagindicating whether the user receives the Scan Summary Notification 
via email. The value will be one of: 

“ags” - the user receives the Scan Summary Notification (this option is set to 
“On” in the UI) 
“none” - the user does not receive the Scan Summary Notification (this option 
is set to “Off” in the UI) 


/USER_LIST_OUTPUT/USER_LIST/USER/NOTIFICATIONS/DAILY_TICKETS (#PCDATA) 


A flag indicating whether the user receives the Daily Trouble Tickets Updates 
email notification. The value 1 is returned when this notification should be 
sent to the user. The value 0 is returned when this notification should not be 
sent to the user. 
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User Action Log Report 
API used 


<platform API server>/msp/action log report.php 


DTD for Action Log Report 
<platform API server>/action log report.dtd 


A recent DTD is shown below. 


<!-- OUALYS ACTION LOG REPORT DTD --> 
<!ELEMENT ACTION LOG REPORT (ERROR | (DATE FROM, DATE TO, USER LOGIN?, 
ACTION LOG LIST))> 


<!ELEMENT ERROR (#PCDATA) *> 
<!ATTLIST ERROR number CDATA #IMPLIED> 


<!ELEMENT DATE FROM (#PCDATA) *> 
<!ELEMENT DATE TO (#PCDATA) *> 


<!ELEMENT USER LOGIN (#PCDATA) *> 


NT ACTION LOG LIST (ACTION LOG) *> 

NT ACTION LOG (DATE, MODULE, ACTION, DETAILS, USER, IP?)> 
<!ELEMENT DATE (#PCDATA) > 

N 

N 

N 


T MODULE (#PCDATA) > 
T ACTION (#PCDATA) > 
T DETAILS (#PCDATA) > 


T USER (USER LOGIN, FIRSTNAME, LASTNAME, ROLE) > 
T FIRSTNAME (#PCDATA) > 

T LASTNAME (#PCDATA) > 

T ROLE (#PCDATA) > 


<!ELEMENT IP (#PCDATA) > 


XPaths for Action Log Report 


XPath element specifications / notes 

/ACTION_LOG_REPORT (ERROR | (DATE_FROM, DATE_TO, USER_LOGIN?, ACTION_LOG_LIST)) 
/ACTION LOG REPORT/ERROR  (#PCDATA) 

attribute: number number is implied and if present, will be an error code. 

/ACTION LOG REPORT/DATE FROM (4PCDATA) 


The start date and time of the time window for downloading action log 
entries, in YYYY-MMDDTHH:MM:SSZ format (UTC/GMT). Note: If the time is 
not specified as part of the “date from” input parameter for the action log 
request, then the time is set to the start of the day: T00:00:00Z 
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element specifications / notes 


/ACTION LOG. REPORT/DATE. TO (4PCDATA) 


The end date and time ofthe time window for downloading ac 
in YYYY-MMDDTHH:MM:SSZ format (UTC/GMT). Note: If the “ 
parameter is not specified for the action log request, then the 
and time are used. If the date is specified but the time is not s 
the time is set to the end of the day: T23:59:59Z 


tion log entries, 
date_to” input 
current date 
pecified, then 


/ACTION_LOG_REPORT/USER_LOGIN (#PCDATA) 


The Qualys user login ID specified to filter results. Note: This e 


ement appears 


only when the “user_login” input parameter is specified for the action log 


request. 
/ACTION_LOG_REPORT/ACTION_LOG_LIST (ACTION LOG)* 
/ACTION. LOG REPORT/ACTION LOG LIST/ACTION LOG 
(DATE, MODULE, ACTION, DETAILS, USER, IP?) 
(ACTION LOG REPORT/ACTION LOG LIST/ACTION LOG/DATE (#PCDATA) 
The date and time when the action occurred, in YYYY-MMDDTHH:MM:SSZ 
format (UTC/GMT). 
/ACTION LOG REPORT/ACTION LOG LIST/ACTION LOG/MODULE (*PCDATA) 
The module affected by the action. See the Oualys online help for a listing. 
/ACTION. LOG REPORT/ACTION LOG LIST/ACTION LOG/ACTION (4PCDATA) 
The action performed. See the Oualys online help fora listing. 
/ACTION LOG REPORT/ACTION. LOG LIST/ACTION LOG/DETAILS (#PCDATA) 
Additional information about the action. For example, details may include 
map and scan targets, scan reference numbers and specific changes to 
account configurations. 
/ACTION. LOG REPORT/ACTION. LOG LIST/ACTION. LOG/USER 
(USER. LOGIN, FIRSTNAME, LASTNAME, ROLE) 
(ACTION. LOG REPORT/ACTION LOG LIST/ACTION LOG/USER/USER LOGIN (4PCDATA) 
The Oualys user login ID for the user who performed the action. 
/ACTION. LOG REPORT/ACTION. LOG LIST/ACTION LOG/USER/FIRSTNAME (#PCDATA) 
The first name of the user who performed the action. 
/ACTION. LOG REPORT/AGTION. LOG LIST/ACTION. LOG/USER/LASTNAME (4PCDATA) 
The last name of the user who performed the action. 
/ACTION LOG REPORT/ACTION LOG LIST/ACTION LOG/USER/ROLE (#PCDATA) 
The user role (Manager, Unit Manager, Scanner or Reader) assigned to the user 
who performed the action. 
/ACTION LOG REPORT/ACTION LOG LIST/ACTION LOG/IP (#PCDATA) 
The IP address of the system used by the user to perform the action. 
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Password Change Output 
API used 


<platform API server>/msp/password_change.php 


DTD for Password Change Output 
<platform API server>/password_change_output.dtd 
A recent DTD is shown below. 


<!-- QUALYS PASSWORD CHANGE OUTPUT DTD --> 


<!ELEMENT PASSWORD CHANGE OUTPUT (API, RETURN) > 


<!-- "name" is the name of API --> 
<!-- "at" attribute is the current platform date and time --> 
<!ELEMENT API (#PCDATA) > 


ame CDATA #REQUIRED 
sername CDATA #REQUIRED 
t CDATA #REQUIRED> 


A 
<!ATTLIST API 

n 

u 

a 


<!-- the PCDATA contains an explanation of the status --> 
<!ELEMENT RETURN (MESSAGE, CHANGES?, NO CHANGES?) > 
<!ATTLIST RETURN 

status (FAILED| SUCCESS |WARNING) #REQUIRED 
number CDATA #IMPLIED> 
MESSAGE (#PCDATA) *> 


<!ELEMENT CHANGES (USER LIST) > 

<!ATTLIST CHANGES count CDATA #IMPLIED> 
<!ELEMENT USER LIST (USER+) > 

<!ELEMENT USER (USER LOGIN, PASSWORD?, REASON?) > 


<!ELEMENT NO CHANGES (USER_LIST) > 
<!ATTLIST NO CHANGES count CDATA *IMPLII 


El 


D> 


XPaths for Password Change Report 


XPath element specifications / notes 
/PASSWORD_CHANGE_OUTPUT (API, RETURN) 


/PASSWORD CHANGE OUTPUT/API (4PCDATA) 


attribute: name name is required and is the API function name. 


attribute: username username is required and is the user login of the API user. 


attribute: at at is required and is the date/time when the function was run in 
YYYY-MM-DDTHH:MM:SSZ format (UTC/GMT). 
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XPath element specifications / notes 

(PASSWORD CHANGE OUTPUT/RETURN (MESSAGE, CHANGES?, NO CHANGES?) 
attribute: status status is required and is a status code, either SUCCESS, FAILED, or WARNING. 
attribute: number number is implied and, if present, is an error code. 


/PASSWORD_CHANGE_OUTPUT/RETURN/MESSAGE (#PCDATA) 
A descriptive message that corresponds to the status code. 
/PASSWORD_CHANGE_OUTPUT/RETURN/CHANGES (USER_LIST) 


attribute: count count is implied and, if present, is the total number of user accounts for 
which passwords were updated. 


PASSWORD CHANGE OUTPUT/RETURN/CHANGES/USER LIST (USER+) 
PASSWORD. CHANGE OUTPUT/RETURN/CHANGES/USER LIST/USER 
USER. LOGIN, PASSWORD?, REASON?) 


The USER element (with sub-elements) is returned for a user account when 
the password change.php reguest included the email=0 input parameter. 


(PASSWORD CHANGE OUTPUT/RETURN/CHANGES/USER LIST/USER/USER LOGIN (#PCDATA) 
The user login ID for a user account. 

(PASSWORD CHANGE, OUTPUT/RETURN/CHANGES/USER LIST/USER/PASSWORD  (*PCDATA) 
The new and current password for the user account. 
(PASSWORD CHANGE OUTPUT/RETURN/CHANGES/USER LIST/USER/REASON - (4PCDATA) 


Si 


mp 


The reason why the password for the user account was not updated. For 
example, if the user has running maps and/or scans. 


/PASSWORD_CHANGE_OUTPUT/RETURN/NO_CHANGES (USER_LIST 


attribute: count count is implied and, if present, is the total number of user accounts which 
do not have changed passwords. 


/PASSWORD_CHANGE_OUTPUT/RETURN/NO_CHANGES/USER_LIST (USER+) 


m 
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Appendix 


Simple Re 


turn 


Batch Return 


Simple 


Return 
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The simple return is XML output returned from several API calls. 


DTD for Simple Return 
<platform API server>/api/2.0/simple_return.dtd 


A recent DTD 


<!-- QUALYS SIMPLE 


<! 


is shown below. 


RETURN DTD --> 


ELEMENT SIMPLE RETURN (REQUEST?, RESPONSE) > 


<! 


ELEMENT REQUEST 


<! 


ELEMENT DATETIME 


<! 


<! 


<! 


<! 


<! 


<! 


ELEMENT VAI 


UE (+ 


<!-- If specified, 


<! 


(DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 
(# PCDATA) > 


ELEMENT USER LOGIN (#PCDATA) > 
ELEMENT RESOURCE 
ELEMENT PARAM LI 
ELEMENT PARA 
ELEMENT KEY (#PCDATA) > 


(#PCDATA) > 
ST (PARAM+) > 


(KEY, VALUE) > 


PCDATA) > 
POST DATA will be urlencoded --> 


ELEMENT POST DATA ( PCDATA) > 


<! 


ENT RESPONSE 


<! 


<! 


<! 


ZE ee 
2 
Q 
O 
Koy 


M LIS 


<! 


(KE 


(DATETIME, CODE?, TEXT, ITEM LIST?)> 


(# PCDATA) > 
ENT TEXT (#P 


CDATA) > 
T (ITEM+ 
Y, VALUE 


XPaths for Simple Return 


XPath element specifications / notes 
/SIMPLE_RETURN (REQUEST?, RESPONSE) 
/SIMPLE_RETURN/REQUEST (DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA?) 
/SIMPLE_RETURN/REQUEST/DATETIME — (4PCDATA) 

The date and time of the request. 
/SIMPLE_RETURN/REQUEST/USER_LOGIN (#PCDATA) 


The user login ID of the user who made the reguest. 
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XPath element specifications / notes 
/SIMPLE RETURN/REOUEST/RESOURCE — (4PCDATA) 

The resource specified for the reguest. 
/SIMPLE RETURN/REOUEST/PARAM LIST (PARAM+) 
/SIMPLE_RETURN/REQUEST/PARAM_LIST/PARAM (KEY, VALUE) 
/SIMPLE_RETURN/REQUEST/PARAM_LIST/PARAM/KEY (#PCDATA) 

The input parameter name. 
/SIMPLE_RETURN/REQUEST/PARAM_LIST/PARAM/VALUE — (*PCDATA) 

The input parameter value. 
/SIMPLE_RETURN/REQUEST/POST_DATA — (*PCDATA) 

The POST data. 
/SIMPLE_RETURN/RESPONSE (DATETIME, CODE?, TEXT, ITEM_LIST?) 
/SIMPLE_RETURN/RESPONSE/DATETIME (#PCDATA) 

The date and time of the response. 
/SIMPLE RETURN/RESPONSE/CODE  (#PCDATA) 

The response error code. 
/SIMPLE RETURN/RESPONSE/TEXT (#PCDATA) 

The response error text. 
/SIMPLE. RETURN/RESPONSE/ITEM. LIS (ITEM+) 
/SIMPLE_RETURN/RESPONSE/ITEM_LIST/ITEM (KEY, VALUE +) 
(SIMPLE RETURN/RESPONSE/ITEM LIST/ITEM/KEY (#PCDATA) 

The response item keyword. 
(SIMPLE RETURN/RESPONSE/ITEM LIST/ITEM/KEY (#PCDATA) 


The response item value. 
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Batch Return 


The batch return is XML output returned from several API calls. 


DTD for Simple Return 
<platform API server>/api/2.0/batch_return.dtd 


A recent DTD is below. 


<! 
<! 


<! 


<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 
<! 


<! 
<! 
<! 


<! 
<! 
<! 
<! 
<! 
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-- QUALYS BATCH RETURN DTD --> 


ELEMENT BATC 


H RI 


ELEMENT REOU 


EST 


ETURN (REQUEST?, RESPONSE) > 


(DATETIME, USER LOGIN, RESOURCE, PARAM LIST?, 
POST DATA?) > 


ELEMENT DATE 


TIM 


E (#PCDATA) > 


ELEMENT USER LOGIN (#PCDATA) > 


ELEMENT RESO 


URC 


ELEMENT PARA 
ELEMENT PARA 
ENT KEY 
ENT VALU 


1 
1 
TARE 
Fh 


E (#PCDATA) > 


| LIST (PARAM+) > 
(KEY, VALUE) > 
(#PCDATA) > 
E (#PCDATA) > 
specified, POST DATA will be urlencoded --> 
ENT POST DATA (#PCDATA) > 


ELEMENT RESPONS 


E (DATETIME, BATCH LIST?)> 


ELEMENT BATCH 


ELEMENT BATCH LIST (BATCH+) > 
(CODE?, TEXT?, ID SET?)> 


PCDATA) > 
PCDATA) > 
(ID| ID_RANGE) +> 


E (#PCDATA) > 


DATA) > 


XPaths for Batch Return 


XPath element specifications / notes 
/BATCH_RETURN (REQUEST?, RESPONSE) 
/BATCH_RETURN/REQUEST (DATETIME, USER_LOGIN, RESOURCE, PARAM_LIST?, POST_DATA?) 
/BATCH RETURN/REOUEST/DATETIME — (*PCDATA) 
The date and time of the request. 
/BATCH RETURN/REOUEST/USER LOGIN (#PCDATA) 


[he user login ID of the user who made the request. 


/SIMPLE_RETURN/REQUEST/RESOURCE — (4PCDATA) 


The resource specified for the request. 


/BATC 


_RE 


URN/REOUEST/PARAM LIST  (PARAM+) 


/BATC 


_RETURN/REQUEST/PARAM_LIST/PARAM (KEY, VALUE) 
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XPath element specifications / notes 
/BATCH_RETURN/REQUEST/PARAM_LIST/PARAM/KEY | (4PCDATA) 

The input parameter name. 
/BATCH_RETURN/REQUEST/PARAM_LIST/PARAM/VALUE — (#PCDATA) 

The input parameter value. 
/BATCH_RETURN/REQUEST/POST_DATA (#PCDATA) 

The POST data. 
/BATCH_RETURN/RESPONSE (DATETIME, BATCH LIST?) 
/BATCH_RETURN/RESPONSE/DATETIME (#PCDATA) 

The date and time of the response. 
/BATCH RETURN/RESPONSE/BATCH LIST (BATCH+) 
/BATCH_RETURN/RESPONSE/BATCH_LIST/BATC (ODE E SAATES Ema) 
/BATCH_RETURN/RESPONSE/BATCH_LIST/BATCH/CODE (4PCDATA) 

A batch code. 
/BATCH RETURN/RESPONSE/BATCH LIST/BATCH/TEXT (4PCDATA) 

A batch text description. 
/BATCH RETURN/RESPONSE/BATCH LIST/BATCH/ID SET (IDJID RANGE) 
/BATCH_RETURN/RESPONSE/BATCH_LIST/BATCH/ID_SET/ID (#PCDATA) 

A batch ID number. 
/BATCH_RETURN/RESPONSE/BATCH_LIST/BATCH/ID_SET/ID_RANGE (#PCDATA) 


A batch ID range. 
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